diff --git a/Consolidates b/Consolidates new file mode 100644 index 000000000..e69de29bb diff --git a/Derived b/Derived new file mode 100644 index 000000000..e69de29bb diff --git a/docs/advisory-ai/console.md b/docs/advisory-ai/console.md index 98afce919..f493d69ac 100644 --- a/docs/advisory-ai/console.md +++ b/docs/advisory-ai/console.md @@ -49,6 +49,14 @@ This guide documents the forthcoming Advisory AI console experience so that cons ``` The ribbon should hyperlink the `links.plan` and `links.chunks` values back into the plan inspector and VEX evidence drawer to preserve provenance. +### 2.3 SBOM / DSSE evidence hooks +- Every response panel links to the sealed SBOM/VEX bundle emitted by Advisory AI. Until the live endpoints land, use the published fixtures: + - VEX statement SSE stream: `docs/api/console/samples/vex-statement-sse.ndjson` + - Guardrail banner projection: `docs/api/console/samples/advisory-ai-guardrail-banner.json` + - Findings overview payload: `docs/api/console/samples/vuln-findings-sample.json` +- When capturing screenshots, point the console to a dev workspace seeded with the above fixtures and record the build hash displayed in the footer to keep captures reproducible. +- Store captures under `docs/assets/advisory-ai/console/` using the scheme `yyyyMMdd-HHmmss--.png` (UTC clock) so regeneration is deterministic. Keep the original JSON alongside each screenshot by saving the response as `…-payload.json` in the same folder. + ## 3. Accessibility & offline requirements - Console screens must pass WCAG 2.2 AA contrast and provide focus order that matches the keyboard shortcuts planned for Advisory AI (see `docs/advisory-ai/overview.md`). - All screenshots captured for this doc must come from sealed-mode bundles (no external fonts/CDNs). Store them under `docs/assets/advisory-ai/console/` with hashed filenames. @@ -99,9 +107,10 @@ This guide documents the forthcoming Advisory AI console experience so that cons ## 5. Open items before publication - [ ] Replace placeholder API responses with captures from the first merged build of CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001. -- [ ] Capture at least two screenshots (list view + evidence drawer) once UI polish is complete. +- [ ] Capture at least two screenshots (list view + evidence drawer) using the fixture-backed workspace; commit both `*-payload.json` and `*-screenshot.png` with deterministic filenames. - [ ] Verify copy-as-ticket instructions with Support to ensure the payload fields align with existing SOC runbooks. - [ ] Add latency tooltip + remote/local badge screenshots after Grafana wiring is stable. +- [ ] Attach SBOM/VEX bundle example (sealed DSSE) to the doc and link it from Section 2.3 for auditors. > Tracking: DOCS-AIAI-31-004 (Docs Guild, Console Guild) diff --git a/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md b/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md new file mode 100644 index 000000000..56eb0216a --- /dev/null +++ b/docs/implplan/SPRINT_0112_0001_0001_concelier_i.md @@ -0,0 +1,78 @@ +# Sprint 0112-0001-0001 · Concelier I — Canonical Evidence & Provenance (Rebaseline 2025-11-13) + +## Topic & Scope +- Deliver canonical advisory chunks with provenance anchors so Advisory AI consumes source-true data (no merge transforms) with deterministic ordering and cache keys. +- Keep Concelier aligned with competitor schemas (GHSA GraphQL, Red Hat CVE API, Cisco PSIRT openVuln) while remaining offline-capable and attestation-ready. +- Prepare mirror/offline provenance paths and transparency metadata so Attestor and Console surfaces can expose document-id + observation-path handles. +- Working directory: `src/Concelier` (WebService + Core libraries). + +### Canonical model commitments (unchanged) +- `/advisories/{key}/chunks` render from the canonical `Advisory` aggregate (document id + latest observation set) only. +- Each structured field cites both the Mongo `_id` of the backing observation and the JSON Pointer into that observation (`observationPath`). +- Deterministic ordering: sort entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes. +- Continue mapping competitor field names to keep migrations predictable. + +## Dependencies & Concurrency +- Link-Not-Merge schema review (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) scheduled 2025-11-14 gates Workstreams A and D. +- Mirror staffing for MIRROR-CRT-56-001 (kickoff 2025-11-15) blocks Workstream B chain (AIRGAP-56/57/58). +- Evidence Locker attestation contract alignment (with Excititor plan) needed for ATTEST-73 before Workstream C starts. +- Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013` + `AUTH-SIG-26-001`) required before Workstream E closes. + +## Documentation Prerequisites +- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md +- docs/modules/platform/architecture-overview.md +- docs/modules/concelier/architecture.md and related module dossier +- docs/provenance/inline-dsse.md (for structured provenance schema) + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CONCELIER-AIAI-31-002 | DOING | Await Link-Not-Merge sign-off; finish `ResolveAdvisoryAsync` + cache key update. | Concelier WebService Guild | Program.cs handler emits structured entries with `{chunkId,fingerprint,entries[],provenance.documentId,provenance.observationPath}`; deterministic ordering; Mongo2Go tests updated. | +| 2 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | None | Concelier WebService Guild · Observability Guild | OTEL counters: `advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total` tagged with tenant/result/cache. | +| 3 | CONCELIER-AIRGAP-56-001 | TODO | Staff MIRROR-CRT-56-001; implement Offline Kit read path. | Concelier Core Guild | Mirror ingestion adapters persist `bundleId`, `merkleRoot`, append-only ledger comparisons. | +| 4 | CONCELIER-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Importer Guild | Store `{bundleId, merkleRoot, observationPath}` on observations/linksets for single-source provenance. | +| 5 | CONCELIER-AIRGAP-57-001 | TODO | Depends on 56-001 | Concelier Core Guild · AirGap Policy Guild | Sealed-mode feature flag rejects non-mirror connectors with actionable diagnostics. | +| 6 | CONCELIER-AIRGAP-57-002 | TODO | Depends on 56-002 | Concelier Core Guild · AirGap Time Guild | Compute `fetchedAt/publishedAt/clockSource` deltas and expose via observation APIs. | +| 7 | CONCELIER-AIRGAP-58-001 | TODO | Depends on 57-002 | Concelier Core Guild · Evidence Locker Guild | Portable advisory evidence bundles include provenance notes and verifier instructions. | +| 8 | CONCELIER-ATTEST-73-001 | TODO | Needs Workstream A output + attestation sequencing | Concelier Core Guild · Attestor Service Guild | Emit `{observationDigest, linksetDigest, documentId}` pairs for DSSE bundles. | +| 9 | CONCELIER-ATTEST-73-002 | TODO | Depends on 73-001 | Concelier Core Guild | Transparency metadata exposes `bundleId`, Rekor refs, observation paths for external explorers. | +| 10 | CONCELIER-CONSOLE-23-001 | TODO | Blocked by Link-Not-Merge schema | Concelier WebService Guild · BE-Base Platform Guild | `/console/advisories` groups linksets with severity/status chips and provenance `{documentId, observationPath}`. | +| 11 | CONCELIER-CONSOLE-23-002 | TODO | Depends on 23-001 | Concelier WebService Guild | Deterministic dashboard deltas API returns new/modified/conflicting sets referencing linkset IDs and field paths. | +| 12 | CONCELIER-CONSOLE-23-003 | TODO | Depends on Workstream A taxonomy | Concelier WebService Guild | Search fan-out helpers for CVE/GHSA/PURL with observation excerpts, provenance anchors, cache hints. | +| 13 | CONCELIER-CORE-AOC-19-013 | TODO | Waits for structured endpoint readiness + AUTH-SIG-26-001 | Concelier Core Guild | Smoke/e2e suites enforce Authority tokens + tenant headers on ingest/read paths; provenance anchors round-trip. | + +### Implementation checklist (applies to CONCELIER-AIAI-31-002) +1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard. +2. Update `AdvisoryChunkCacheKey` to include `AdvisoryFingerprint`. +3. Rewrite `/advisories/{key}/chunks` handler to call the structured builder and emit provenance anchors. +4. Refresh telemetry tests to assert `Response.Entries.Count`. +5. Extend docs (`docs/provenance/inline-dsse.md` + Advisory AI API reference) with the structured schema mirroring GHSA / Cisco references. + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-12 | CONCELIER-AIAI-31-003 shipped OTEL counters for Advisory AI chunk traffic (cache hit ratios + guardrail blocks per tenant). | Concelier WebService Guild | +| 2025-11-13 | Rebaseline: locked structured field scope to canonical model + provenance anchors aligned to competitor schemas. | Planning | +| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_112_concelier_i.md` to `SPRINT_0112_0001_0001_concelier_i.md`; no semantic changes. | Planning | + +## Decisions & Risks +- Link-Not-Merge schema slip past 2025-11-14 would stall Workstreams A and D; fallback adapter prep required. +- Mirror staffing unresolved blocks AIRGAP-56/57/58 and Offline Kit parity; escalate at 2025-11-15 kickoff. +- Evidence Locker contract delay would stall ATTEST-73, leaving Advisory AI without attested provenance. +- Authority smoke coverage gap risks AOC guardrails regressing when structured endpoint ships; pairing with Authority guild planned once Workstream A PR is ready. +- Status snapshot (as of 2025-11-13): A 🔶 DOING; B 🔴 BLOCKED; C 🔴 BLOCKED; D 🔶 WATCHING; E 🔶 WATCHING. + +## Next Checkpoints +- 2025-11-14: Link-Not-Merge schema review (CARTO-GRAPH-21-002) — gate for Workstreams A/D. +- 2025-11-15: MIRROR-CRT-56-001 staffing kickoff; also Excititor/Evidence Locker sequencing for ATTEST-73. +- 2025-11-16: Target actions — finish structured endpoint changes, draft Advisory AI structured schema appendix, prep `/console/advisories` API spec, clone Authority smoke suites once ready. +- Standup prompts: (1) Did Link-Not-Merge review resolve blocking fields? (2) Who owns MIRROR-CRT-56-001 post-kickoff and staffing for AIRGAP follow-ons? (3) Did Evidence Locker accept attestation contract draft for ATTEST-73-001 start? (4) Are Authority/AOC smoke tests ready to clone once structured fields release, or is more scope needed from AUTH-SIG-26-001? + +## Blockers & Dependencies (detailed) +| Dependency | Impacted work | Owner(s) | Status | +| --- | --- | --- | --- | +| Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. | +| MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. | +| Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. | +| Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. | + diff --git a/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md b/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md new file mode 100644 index 000000000..caac100f2 --- /dev/null +++ b/docs/implplan/SPRINT_0113_0001_0002_concelier_ii.md @@ -0,0 +1,59 @@ +# Sprint 0113-0001-0002 · Concelier II — Ingestion & Evidence (Phase 110.B) + +## Topic & Scope +- Advance Link-Not-Merge ingestion so advisories stay append-only with provenance-first observations and linksets. +- Enable graph overlays (Cartographer) with raw observations/linksets, change events, and batch evidence APIs—no merge-derived judgments. +- Lay storage/event foundations (Mongo, object store, NATS/Redis) for scalable, tenant-scoped advisory data. +- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService). + +## Dependencies & Concurrency +- Depends on Sprint 0112-0001-0001 (Concelier I) for canonical advisory outputs. +- Link-Not-Merge schema chain (CONCELIER-LNM-21-001…005, 101…103, 201…203) must proceed in order; events and APIs depend on earlier ingestion plumbing. +- Graph change events require Scheduler/Platform Events alignment; coordinate with Cartographer guilds to keep telemetry deterministic. + +## Documentation Prerequisites +- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md +- docs/modules/platform/architecture-overview.md +- docs/modules/concelier/architecture.md (plus storage and ingestion notes) +- Any Link-Not-Merge schema/ADR docs referenced by CONCELIER-LNM-21-*** + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CONCELIER-GRAPH-21-001 | BLOCKED (2025-10-27) | Waiting for Link-Not-Merge schema finalization | Concelier Core Guild · Cartographer Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Extend SBOM normalization so relationships/scopes are stored as raw observation metadata with provenance pointers for graph joins. | +| 2 | CONCELIER-GRAPH-21-002 | BLOCKED (2025-10-27) | Depends on 21-001 | Concelier Core Guild · Scheduler Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish `sbom.observation.updated` events with tenant/context and advisory refs; facts only, no judgments. | +| 3 | CONCELIER-GRAPH-24-101 | TODO | Depends on 21-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/summary` bundles observation/linkset metadata (aliases, confidence, conflicts) for graph overlays; upstream values intact. | +| 4 | CONCELIER-GRAPH-28-102 | TODO | Depends on 24-101 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Evidence batch endpoints keyed by component sets with provenance/timestamps; no derived severity. | +| 5 | CONCELIER-LNM-21-001 | TODO | Start of Link-Not-Merge chain | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Define immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards). | +| 6 | CONCELIER-LNM-21-002 | TODO | Depends on 21-001 | Concelier Core Guild · Data Science Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Correlation pipelines output linksets with confidence + conflict markers, avoiding value collapse. | +| 7 | CONCELIER-LNM-21-003 | TODO | Depends on 21-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Record disagreements (severity, CVSS, references) as structured conflict entries. | +| 8 | CONCELIER-LNM-21-004 | TODO | Depends on 21-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Remove legacy merge/dedup logic; add guardrails/tests to keep ingestion append-only; document linkset supersession. | +| 9 | CONCELIER-LNM-21-005 | TODO | Depends on 21-004 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit `advisory.linkset.updated` events with delta descriptions + observation ids (tenant + provenance only). | +| 10 | CONCELIER-LNM-21-101 | TODO | Depends on 21-005 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Provision Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, TTL for ingest metadata. | +| 11 | CONCELIER-LNM-21-102 | TODO | Depends on 21-101 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Backfill legacy merged advisories; seed tombstones; provide rollback tooling for Offline Kit. | +| 12 | CONCELIER-LNM-21-103 | TODO | Depends on 21-102 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Move large raw payloads to object storage with deterministic pointers; update bootstrapper/offline seeds; preserve provenance metadata. | +| 13 | CONCELIER-LNM-21-201 | TODO | Depends on 21-103 | Concelier WebService Guild · BE-Base Platform Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/observations` filters by alias/purl/source with strict tenant scopes; echoes upstream values + provenance fields only. | +| 14 | CONCELIER-LNM-21-202 | TODO | Depends on 21-201 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/advisories/linksets`/`export`/`evidence` endpoints surface correlation + conflict payloads and `ERR_AGG_*` mapping; no synthesis/merge. | +| 15 | CONCELIER-LNM-21-203 | TODO | Depends on 21-202 | Concelier WebService Guild · Platform Events Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish idempotent NATS/Redis events for new observations/linksets with documented schemas; include tenant + provenance references only. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning | +| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_113_concelier_ii.md` to `SPRINT_0113_0001_0002_concelier_ii.md`; no semantic changes. | Planning | + +## Decisions & Risks +- Link-Not-Merge schema sequence is critical path; delays keep ingestion and graph events blocked (see tasks 5–15). +- Graph event pipeline depends on Scheduler/Platform Events alignment to avoid non-deterministic downstream joins. +- Storage backfill (21-102) and object-store move (21-103) must preserve provenance metadata to avoid regression in Offline Kit and replay. + +## Next Checkpoints +- Next LNM schema review: align with CARTO-GRAPH/LNM owners (date TBD); unblock tasks 1–2 and 5–15. +- Schedule event schema walkthrough with Platform Events/Scheduler guilds once 21-005 draft ready. + +## Blockers & Dependencies (detailed) +| Dependency | Impacted work | Owner(s) | Status | +| --- | --- | --- | --- | +| Link-Not-Merge schema finalization (CONCELIER-LNM-21-001+) | Tasks 1–15 | Concelier Core · Cartographer · Platform Events | Outstanding; blockers dated 2025-10-27 remain. | +| Scheduler / Platform Events contract for `sbom.observation.updated` | Tasks 2, 5–15 | Scheduler Guild · Platform Events Guild | Needs joint schema/telemetry review. | +| Object storage contract for raw payloads | Tasks 10–12 | Storage Guild · DevOps Guild | To be defined alongside 21-103. | diff --git a/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md b/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md new file mode 100644 index 000000000..f78c3c74e --- /dev/null +++ b/docs/implplan/SPRINT_0114_0001_0003_concelier_iii.md @@ -0,0 +1,58 @@ +# Sprint 0114-0001-0003 · Concelier III — Ingestion & Evidence (Phase 110.B) + +## Topic & Scope +- Document and expose Link-Not-Merge ingestion surfaces (OpenAPI + SDK) with provenance, tenant scope, and AOC guarantees. +- Establish observability, attestation, and incident-mode hooks that keep advisory evidence replayable without merge-era heuristics. +- Align ingestion workers with orchestrator controls for deterministic scheduling, backfill, and ledger linkage. +- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService). + +## Dependencies & Concurrency +- Depends on Sprint 0113-0001-0002 (Concelier II) Link-Not-Merge plumbing and graph/event groundwork. +- Observability chain (OBS-51…55) builds sequentially; attestation work relies on evidence snapshot generation first. +- Orchestrator integration tasks (ORCH-32…34) must coordinate with orchestrator worker SDK/controls; schedule alongside Policy Engine consumers. + +## Documentation Prerequisites +- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md +- docs/modules/platform/architecture-overview.md +- docs/modules/concelier/architecture.md (ingestion, observability, orchestrator notes) +- Current OpenAPI spec + SDK docs referenced by CONCELIER-OAS-61/62/63 + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CONCELIER-OAS-61-001 | TODO | Needs latest LNM schema from Sprint 0113 | Concelier Core Guild · API Contracts Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Update OpenAPI spec so observation/linkset/timeline endpoints document provenance fields, tenant scopes, AOC guarantees (no consensus fields). | +| 2 | CONCELIER-OAS-61-002 | TODO | Depends on 61-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Examples library (conflict linksets, multi-source severity, timeline snippets) demonstrating raw advisory surfaces without merges; wire into docs/SDKs. | +| 3 | CONCELIER-OAS-62-001 | TODO | Depends on 61-002 | Concelier Core Guild · SDK Generator Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | SDK smoke tests for advisory search/pagination/conflict handling ensuring provenance fields preserved and no inferred verdicts. | +| 4 | CONCELIER-OAS-63-001 | TODO | Depends on 62-001 | Concelier Core Guild · API Governance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired; discourage merge-era APIs. | +| 5 | CONCELIER-OBS-51-001 | TODO | Start of OBS chain | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts to prove pipeline health. | +| 6 | CONCELIER-OBS-52-001 | TODO | Depends on 51-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, evidence hashes—facts only for replay. | +| 7 | CONCELIER-OBS-53-001 | TODO | Depends on 52-001 | Concelier Core Guild · Evidence Locker Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests for audit replay without live Mongo. | +| 8 | CONCELIER-OBS-54-001 | TODO | Depends on 53-001 | Concelier Core Guild · Provenance Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Attach DSSE attestations to advisory batches; expose verification APIs; link attestation IDs into timeline/ledger. | +| 9 | CONCELIER-OBS-55-001 | TODO | Depends on 54-001 | Concelier Core Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Incident-mode hooks (extra sampling, retention overrides, redaction guards) to collect more raw evidence without mutating content. | +| 10 | CONCELIER-ORCH-32-001 | TODO | Coordinate with orchestrator registry | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Register every advisory connector with orchestrator (metadata, auth scopes, rate policies) for transparent, reproducible scheduling. | +| 11 | CONCELIER-ORCH-32-002 | TODO | Depends on 32-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Adopt orchestrator worker SDK in ingestion loops; emit heartbeats/progress/artifact hashes for deterministic replays. | +| 12 | CONCELIER-ORCH-33-001 | TODO | Depends on 32-002 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Honor orchestrator pause/throttle/retry controls with structured errors and persisted checkpoints. | +| 13 | CONCELIER-ORCH-34-001 | TODO | Depends on 33-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Execute orchestrator-driven backfills reusing artifact hashes/signatures, logging provenance, and pushing run metadata to ledger. | +| 14 | CONCELIER-POLICY-20-001 | TODO | Needs Link-Not-Merge APIs from Sprint 0113 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy joins raw evidence without inferred outcomes. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning | +| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_114_concelier_iii.md` to `SPRINT_0114_0001_0003_concelier_iii.md`; no semantic changes. | Planning | + +## Decisions & Risks +- Link-Not-Merge and OpenAPI alignment must precede SDK/examples; otherwise downstream clients will drift from canonical facts. +- Observability/attestation chain (OBS-51…55) risks audit gaps if sequencing slips; each step depends on previous artifacts. +- Orchestrator control compliance is required to prevent evidence loss during throttles/pauses. + +## Next Checkpoints +- Schedule OpenAPI/SDK review once CONCELIER-OAS-61-001 draft ready (date TBD, gated on Sprint 0113 outputs). +- Plan orchestrator contract review with Orchestrator guild before implementing ORCH-32-002. + +## Blockers & Dependencies (detailed) +| Dependency | Impacted work | Owner(s) | Status | +| --- | --- | --- | --- | +| Link-Not-Merge schema + APIs from Sprint 0113 | Tasks 1–4, 14 | Concelier Core/WebService · API Contracts | Pending upstream completion. | +| Observability metrics foundation (CONCELIER-OBS-51-001) | Tasks 6–9 | Concelier Core · DevOps | Not started; required for downstream timeline/attestation hooks. | +| Orchestrator registry/SDK contracts | Tasks 10–13 | Concelier Core · Orchestrator Guild | Coordination needed; no contract recorded yet. | diff --git a/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md b/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md new file mode 100644 index 000000000..749b17451 --- /dev/null +++ b/docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md @@ -0,0 +1,58 @@ +# Sprint 0115-0001-0004 · Concelier IV — Ingestion & Evidence (Phase 110.B) + +## Topic & Scope +- Extend Link-Not-Merge outputs to serve policy, risk, and notification consumers with provenance-preserving linksets and signals. +- Backfill raw linksets and enforce tenant-aware linking so downstream services ingest fact-only advisory data. +- Bridge Concelier evidence to Policy Studio and VEX Lens without introducing merge-era inference. +- Working directory: `src/Concelier` (Core libraries, Storage.Mongo, WebService). + +## Dependencies & Concurrency +- Depends on Sprint 0114-0001-0003 (Concelier III) OpenAPI/observability foundations. +- Policy enrichment chain (POLICY-20-002/003, POLICY-23-001/002) builds sequentially; events rely on prior indexes/cursors. +- Risk signals (RISK-66…69) and tenant-aware linking hinge on upstream Link-Not-Merge data and AUTH/AOC scoping. + +## Documentation Prerequisites +- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md +- docs/modules/platform/architecture-overview.md +- docs/modules/concelier/architecture.md (policy/risk/tenant scope sections) +- docs/dev/raw-linkset-backfill-plan.md + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CONCELIER-POLICY-20-002 | TODO | Depends on POLICY-20-001 (Sprint 0114) | Concelier Core Guild · Policy Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expand linkset builders with vendor equivalence, NEVRA/PURL normalization, version-range parsing so policy joins are accurate without prioritizing sources. | +| 2 | CONCELIER-POLICY-20-003 | TODO | Depends on 20-002 | Concelier Storage Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Advisory selection cursors + change-stream checkpoints for deterministic policy deltas; include offline migration scripts. | +| 3 | CONCELIER-POLICY-23-001 | TODO | Depends on 20-003 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Secondary indexes/materialized views (alias, provider severity, confidence) to keep policy lookups fast without cached verdicts; document query patterns. | +| 4 | CONCELIER-POLICY-23-002 | TODO | Depends on 23-001 | Concelier Core Guild · Platform Events Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Ensure `advisory.linkset.updated` events carry idempotent IDs, confidence summaries, tenant metadata for safe policy replay. | +| 5 | CONCELIER-RISK-66-001 | TODO | Start of risk chain | Concelier Core Guild · Risk Engine Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Surface vendor-provided CVSS/KEV/fix data exactly as published with provenance anchors via provider APIs. | +| 6 | CONCELIER-RISK-66-002 | TODO | Depends on 66-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. | +| 7 | CONCELIER-RISK-67-001 | TODO | Depends on 66-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers cite which upstream statements exist; no weighting applied. | +| 8 | CONCELIER-RISK-68-001 | TODO | Depends on POLICY-RISK-68-001 | Concelier Core Guild · Policy Studio Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Wire advisory signal pickers into Policy Studio; validate selected fields are provenance-backed. | +| 9 | CONCELIER-RISK-69-001 | TODO | Depends on 66-002 | Concelier Core Guild · Notifications Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Emit notifications on upstream advisory field changes (e.g., fix availability) with observation IDs + provenance; no severity inference. | +| 10 | CONCELIER-SIG-26-001 | TODO | Depends on SIGNALS-24-002 | Concelier Core Guild · Signals Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Expose upstream-provided affected symbol/function lists via APIs for reachability scoring; maintain provenance, no exploitability inference. | +| 11 | CONCELIER-STORE-AOC-19-005 | TODO (2025-11-04) | Depends on CONCELIER-CORE-AOC-19-004 | Concelier Storage Guild · DevOps Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo`) | Execute raw-linkset backfill/rollback plan so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. | +| 12 | CONCELIER-TEN-48-001 | TODO | Depends on AUTH-TEN-47-001 | Concelier Core Guild (`src/Concelier/__Libraries/StellaOps.Concelier.Core`) | Enforce tenant scoping through normalization/linking; expose capability endpoint advertising `merge=false`; ensure events include tenant IDs. | +| 13 | CONCELIER-VEXLENS-30-001 | TODO | Depends on CONCELIER-VULN-29-001, VEXLENS-30-005 | Concelier WebService Guild · VEX Lens Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations cite Concelier evidence without merges. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning | +| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_115_concelier_iv.md` to `SPRINT_0115_0001_0004_concelier_iv.md`; no semantic changes. | Planning | + +## Decisions & Risks +- Policy enrichment chain must remain fact-only; any weighting or prioritization belongs to Policy Engine, not Concelier. +- Raw linkset backfill (STORE-AOC-19-005) must preserve rollback paths to protect Offline Kit deployments. +- Tenant-aware linking and notification hooks depend on Authority/Signals contracts; delays could stall AOC compliance and downstream alerts. + +## Next Checkpoints +- Plan backfill rehearsal window for STORE-AOC-19-005 once AUTH/AOC prerequisites clear (date TBD). +- Schedule Policy Studio integration review after POLICY-20-003 cursors and indexes are available. + +## Blockers & Dependencies (detailed) +| Dependency | Impacted work | Owner(s) | Status | +| --- | --- | --- | --- | +| POLICY-20-001 outputs (Sprint 0114) | Tasks 1–4 | Concelier Core/WebService · Policy Guild | Upstream prerequisite. | +| AUTH-TEN-47-001 tenant scope contract | Task 12 | Authority Guild · Concelier Core | Pending; required for tenant enforcement. | +| SIGNALS-24-002 symbol data ingestion | Task 10 | Signals Guild · Concelier Core | Pending contract. | +| CONCELIER-CORE-AOC-19-004 backfill pre-req | Task 11 | Concelier Core/Storage · DevOps | Needs completion before backfill rehearsal. | diff --git a/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md b/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md new file mode 100644 index 000000000..19d0a81f0 --- /dev/null +++ b/docs/implplan/SPRINT_0116_0001_0005_concelier_v.md @@ -0,0 +1,60 @@ +# Sprint 0116-0001-0005 · Concelier V — Ingestion & Evidence (Phase 110.B) + +## Topic & Scope +- Harden Concelier ingestion for air-gapped and AOC scenarios with sealed-mode enforcement, timeline emission, and regression coverage. +- Finalize Link-Not-Merge API/SDK alignment (error envelopes, examples, deprecation headers) and observability surfaces for Console/Vuln Explorer. +- Address AOC guardrails and chunk evidence regressions to keep ingestion append-only and deterministic. +- Working directory: `src/Concelier` (WebService focus). + +## Dependencies & Concurrency +- Depends on Sprint 0115-0001-0004 (Concelier IV) policy/risk and backfill readiness. +- AirGap chain (WEB-AIRGAP-56/57/58) builds sequentially; sealed-mode must precede staleness surfacing and timeline events. +- AOC regression tasks (WEB-AOC-19-003…007) rely on prior validators (WEB-AOC-19-002) and must land before large-batch ingest verification. + +## Documentation Prerequisites +- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md +- docs/modules/platform/architecture-overview.md +- docs/modules/concelier/architecture.md (airgap, AOC, observability sections) +- Link-Not-Merge API specs and error envelope guidelines + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CONCELIER-VULN-29-004 | TODO | Depends on CONCELIER-VULN-29-001 | Concelier WebService Guild · Observability Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, chunk latencies; stream to Vuln Explorer without altering payloads. | +| 2 | CONCELIER-WEB-AIRGAP-56-001 | TODO | Start of AirGap chain | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, enforce sealed-mode by blocking direct internet feeds. | +| 3 | CONCELIER-WEB-AIRGAP-56-002 | TODO | Depends on 56-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets`; operators see freshness without Excititor-derived outcomes. | +| 4 | CONCELIER-WEB-AIRGAP-57-001 | TODO | Depends on 56-002 | Concelier WebService Guild · AirGap Policy Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` payloads with remediation guidance; keep advisory content untouched. | +| 5 | CONCELIER-WEB-AIRGAP-58-001 | TODO | Depends on 57-001 | Concelier WebService Guild · AirGap Importer Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit timeline events for bundle imports (bundle ID, scope, actor) to capture every evidence change. | +| 6 | CONCELIER-WEB-AOC-19-003 | TODO | Depends on WEB-AOC-19-002 | QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), supersedes chains to keep ingestion append-only. | +| 7 | CONCELIER-WEB-AOC-19-004 | TODO | Depends on 19-003 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Integration tests ingesting large batches (cold/warm) verifying reproducible linksets; record metrics/fixtures for Offline Kit rehearsals. | +| 8 | CONCELIER-WEB-AOC-19-005 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Fix `/advisories/{key}/chunks` test data so pre-seeded raw docs resolve; stop "Unable to locate advisory_raw documents" during tests. | +| 9 | CONCELIER-WEB-AOC-19-006 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Align default auth/tenant configs with fixtures so allowlisted tenants ingest before forbidden ones are rejected; close gap in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. | +| 10 | CONCELIER-WEB-AOC-19-007 | TODO (2025-11-08) | Depends on WEB-AOC-19-002 | Concelier WebService Guild · QA Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Ensure AOC verify emits `ERR_AOC_001` (not `_004`); maintain mapper/guard parity with regression tests. | +| 11 | CONCELIER-WEB-OAS-61-002 | TODO | Prereq for examples/deprecation | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Migrate APIs to standardized error envelope; update controllers/tests accordingly. | +| 12 | CONCELIER-WEB-OAS-62-001 | TODO | Depends on 61-002 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Publish curated examples for observations/linksets/conflicts; wire into developer portal. | +| 13 | CONCELIER-WEB-OAS-63-001 | TODO | Depends on 62-001 | Concelier WebService Guild · API Governance Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Emit deprecation headers + notifications for retiring endpoints, steering clients toward Link-Not-Merge APIs. | +| 14 | CONCELIER-WEB-OBS-51-001 | TODO | Depends on CONCELIER-WEB-OBS-50-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | `/obs/concelier/health` surfaces for ingest health, queue depth, SLO status for Console widgets. | +| 15 | CONCELIER-WEB-OBS-52-001 | TODO | Depends on 51-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | SSE stream `/obs/concelier/timeline` with paging tokens, guardrails, audit logging for live evidence monitoring. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md`. | Planning | +| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_116_concelier_v.md` to `SPRINT_0116_0001_0005_concelier_v.md`; no semantic changes. | Planning | + +## Decisions & Risks +- AirGap sealed-mode enforcement must precede staleness surfaces/timeline events to avoid leaking non-mirror sources. +- AOC regression fixes are required before large-batch ingest verification; failing to align allowlist/auth configs risks false negatives in tests. +- Standardized error envelope is prerequisite for SDK/doc alignment; delays block developer portal updates. + +## Next Checkpoints +- Plan sealed-mode remediation payload review once WEB-AIRGAP-56-002 is drafted (date TBD). +- Schedule regression test run after WEB-AOC-19-003 lands to validate batch ingest and chunk evidence fixes. + +## Blockers & Dependencies (detailed) +| Dependency | Impacted work | Owner(s) | Status | +| --- | --- | --- | --- | +| AirGap mirror import plumbing (WEB-AIRGAP-56-001) | Tasks 3–5 | Concelier WebService · AirGap Guilds | Not started; prerequisite for staleness and timeline work. | +| AOC validator updates (WEB-AOC-19-002) | Tasks 6–10 | Concelier WebService · QA | Required to unblock guardrail/regression tasks. | +| Error envelope standard (WEB-OAS-61-002) | Tasks 12–13 | Concelier WebService · API Governance | Prerequisite for examples and deprecation headers. | +| Observability base (WEB-OBS-50-001) | Tasks 14–15 | Concelier WebService | Upstream dependency for health/timeline surfaces. | diff --git a/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md b/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md new file mode 100644 index 000000000..510154ceb --- /dev/null +++ b/docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md @@ -0,0 +1,52 @@ +# Sprint 0117-0001-0006 · Concelier VI — Ingestion & Evidence (Phase 110.B) + +## Topic & Scope +- Expose evidence locker and attestation data through Concelier APIs with provenance-preserving contracts and incident-mode controls. +- Finish connector-side Link-Not-Merge provenance for version ranges (CCCS, CERT-Bund, Cisco) to feed canonical observations. +- Keep migration docs aligned as connectors adopt new schemas. +- Working directory: `src/Concelier` (WebService + Connector libraries) and `docs` (migration). + +## Dependencies & Concurrency +- Depends on Sprint 0116-0001-0005 for observability timeline stream and error envelope readiness. +- Evidence locker/attestation endpoints (WEB-OBS-53/54/55) rely on Link-Not-Merge observation schema and prior SSE timeline work. +- Connector tasks depend on CONCELIER-LNM-21-001 schema; must proceed per-connector while keeping migration docs in sync. + +## Documentation Prerequisites +- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md +- docs/modules/platform/architecture-overview.md +- docs/modules/concelier/architecture.md (connectors, evidence locker integration) +- docs/migration/no-merge.md + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | CONCELIER-WEB-OBS-53-001 | TODO | Depends on WEB-OBS-52-001 (Sprint 0116) | Concelier WebService Guild · Evidence Locker Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Add `/evidence/advisories/*` routes proxying evidence locker snapshots, verifying `evidence:read` scopes, returning signed manifest metadata—no raw storage shortcuts. | +| 2 | CONCELIER-WEB-OBS-54-001 | TODO | Depends on 53-001 | Concelier WebService Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Provide `/attestations/advisories/*` endpoints with DSSE status, verification summary, provenance chain so CLI/Console audit trust without DB hits. | +| 3 | CONCELIER-WEB-OBS-55-001 | TODO | Depends on 54-001 | Concelier WebService Guild · DevOps Guild (`src/Concelier/StellaOps.Concelier.WebService`) | Incident-mode APIs coordinating ingest, locker, orchestrator; capture activation events + cooldown semantics while leaving evidence untouched. | +| 4 | FEEDCONN-CCCS-02-009 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – CCCS (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs`) | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. | +| 5 | FEEDCONN-CERTBUND-02-010 | TODO | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – CertBund (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund`) | Translate CERT-Bund `product.Versions` into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) retaining localisation notes; update mapper/tests for Link-Not-Merge. | +| 6 | FEEDCONN-CISCO-02-009 | DOING (2025-11-08) | Depends on CONCELIER-LNM-21-001 | Concelier Connector Guild – Cisco (`src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco`) | Emit Cisco SemVer ranges into observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. | +| 7 | DOCS-LNM-22-008 | DONE (2025-11-03) | Keep synced with connector migrations | Docs Guild · DevOps Guild (`docs`) | `docs/migration/no-merge.md` documents Link-Not-Merge migration plan. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-03 | Documented Link-Not-Merge migration plan (`docs/migration/no-merge.md`). | Docs Guild | +| 2025-11-08 | Connector Cisco task marked DOING; others pending Link-Not-Merge schema. | Connector PM | +| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_117_concelier_vi.md` to `SPRINT_0117_0001_0006_concelier_vi.md`; no semantic changes. | Planning | + +## Decisions & Risks +- Evidence locker/attestation exposure depends on stable `/obs` timeline stream and evidence scope checks; lacking these risks bypass paths. +- Connector version-range provenance must align with Link-Not-Merge schema; inconsistencies could break deterministic comparisons across feeds. +- Incident-mode toggles need orchestrator/locker coordination; absence of shared semantics risks divergent behavior across services. + +## Next Checkpoints +- Schedule evidence locker API contract review once WEB-OBS-52-001 ships (date TBD). +- Connector sync to validate range normalization across CCCS, CERT-Bund, Cisco after initial implementations. + +## Blockers & Dependencies (detailed) +| Dependency | Impacted work | Owner(s) | Status | +| --- | --- | --- | --- | +| WEB-OBS-52-001 timeline stream (Sprint 0116) | Tasks 1–3 | Concelier WebService · DevOps | Upstream dependency not yet delivered. | +| Link-Not-Merge observation schema (CONCELIER-LNM-21-001) | Tasks 4–6 | Connector Guilds | Required for normalized range emission. | +| Orchestrator/locker incident-mode contract | Task 3 | DevOps · Concelier WebService | Needs definition; no shared semantics recorded. | diff --git a/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md b/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md new file mode 100644 index 000000000..d88b138db --- /dev/null +++ b/docs/implplan/SPRINT_0119_0001_0001_excititor_i.md @@ -0,0 +1,82 @@ +# Sprint 0119_0001_0001 · Excititor Ingestion & Evidence (Phase I) + +## Topic & Scope +- Stand up Advisory-AI evidence projection APIs (Excititor I) plus ingestion/attestation chain that stays aggregation-only prior to consensus. +- Deliver telemetry and guardrails so RAG clients and Lens can observe usage; prep mirror-first + sealed-mode ingestion and portable evidence bundles for air-gapped deployments. +- Establish attestation verifier harness and provenance linkage so Advisory AI can cite supplier identity without Excititor interpreting verdicts. +- **Working directory:** `src/Excititor` (WebService, Core, Attestation, Connectors; shared EvidenceLocker/Export touchpoints only as noted). + +## Dependencies & Concurrency +- Upstream: Sprint 100.A (Attestor DSSE verification); Export Center mirror bundle manifest (Sprint 162) and EvidenceLocker portable format (Sprints 160/161); Ops/Signals span sink deployment for observability; connector signer metadata delivery. +- Concurrency: Advisory-AI API tasks can proceed while telemetry export waits on Ops span sink; AirGap 56/57/58 blocked on Export Center schema; Attestation 73-* blocked on 01-003 completion. +- Peers: runs parallel with other Excititor batches; no CC-decade conflicts noted once dependencies above land. + +## Documentation Prerequisites +- `docs/modules/excititor/architecture.md` +- `docs/modules/excititor/README.md#latest-updates` +- `docs/modules/excititor/mirrors.md` +- `docs/modules/excititor/operations/*` +- `docs/modules/excititor/implementation_plan.md` +- Excititor component `AGENTS.md` files within each working directory (WebService, Core, Attestation, Connectors). + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | EXCITITOR-AIAI-31-001 | DONE (2025-11-12) | Available to Advisory AI; monitor usage. | Excititor WebService Guild | Expose normalized VEX justifications, scope trees, and anchors via `VexObservation` projections so Advisory AI can cite raw evidence without consensus logic. | +| 2 | EXCITITOR-AIAI-31-002 | TODO | Start `/vex/evidence/chunks`; reuse 31-001 outputs. | Excititor WebService Guild | Stream raw statements + signature metadata with tenant/policy filters for RAG clients; aggregation-only, reference observation/linkset IDs. | +| 3 | EXCITITOR-AIAI-31-003 | DOING (in review 2025-11-13) | Await Ops span sink; finalize metrics wiring. | Excititor WebService Guild · Observability Guild | Instrument evidence APIs with request counters, chunk histograms, signature-failure + AOC guard-violation meters. | +| 4 | EXCITITOR-AIAI-31-004 | TODO | Finalize OpenAPI/SDK/docs once 31-002/003 stabilize. | Excititor WebService Guild · Docs Guild | Codify Advisory-AI evidence contract, determinism guarantees, and mapping of observation IDs to storage. | +| 5 | EXCITITOR-AIRGAP-56-001 | TODO | Waiting on Export Center mirror bundle schema (Sprint 162). | Excititor Core Guild | Mirror-first ingestion that preserves upstream digests, bundle IDs, and provenance for offline parity. | +| 6 | EXCITITOR-AIRGAP-57-001 | TODO | Blocked on 56-001; define sealed-mode errors. | Excititor Core Guild · AirGap Policy Guild | Enforce sealed-mode policies, remediation errors, and staleness annotations surfaced to Advisory AI. | +| 7 | EXCITITOR-AIRGAP-58-001 | TODO | Depends on 57-001 and EvidenceLocker portable format (160/161). | Excititor Core Guild · Evidence Locker Guild | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events. | +| 8 | EXCITITOR-ATTEST-01-003 | DOING (since 2025-11-06) | Complete verifier harness + diagnostics. | Excititor Attestation Guild | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove DSSE bundle verification without touching consensus results. | +| 9 | EXCITITOR-ATTEST-73-001 | TODO | Blocked on 01-003; prep payload spec. | Excititor Core · Attestation Payloads Guild | Emit attestation payloads capturing supplier identity, justification summary, and scope metadata for trust chaining. | +| 10 | EXCITITOR-ATTEST-73-002 | TODO | Blocked on 73-001; design linkage API. | Excititor Core Guild | Provide APIs linking attestation IDs back to observation/linkset/product tuples for provenance citations without derived verdicts. | +| 11 | EXCITITOR-CONN-TRUST-01-001 | TODO | Await connector signer metadata schema (review 2025-11-14). | Excititor Connectors Guild | Add signer fingerprints, issuer tiers, and bundle references to MSRC/Oracle/Ubuntu/Stella connectors; document consumer guidance. | + +### Task Clusters & Readiness +- **Advisory-AI evidence APIs:** 31-001 delivered; 31-003 instrumentation and 31-004 docs pending; ready to start once examples and telemetry fixtures finalize. +- **AirGap ingestion & portable bundles:** 56/57/58 gated on Export Center schema and EvidenceLocker format; need sealed-mode error catalog and timeline mapping. +- **Attestation & provenance chain:** 01-003 harness/diagnostics first, then 73-001 payload spec and 73-002 linkage docs. +- **Connector provenance parity:** Inventory signer metadata, define shared fingerprint/tier schema, update connector acceptance tests. + +## Action Tracker +| Focus | Action | Owner(s) | Due | Status | +| --- | --- | --- | --- | --- | +| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (31-004). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) | +| Observability | Wire metrics/traces for `/v1/vex/observations/**` (31-003) and document dashboards. | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + runbook ready; waiting on Ops span sink deploy) | +| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for 56/57. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending | +| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for 58-001. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending | +| Attestation | Complete verifier suite + diagnostics for 01-003. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness ~80% complete) | +| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (CONN-TRUST-01-001). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-12 | Snapshot refreshed; 31-001 marked DONE; other tasks pending observability, AirGap schemas, and attestation verifier completion. | Excititor PM | +| 2025-11-13 | Added readiness checklists and action tracker; awaiting Export Center mirror schema and Attestor verifier rehearsals. | Excititor PM | +| 2025-11-13 | OpenAPI draft for 31-004 shared; observability wiring blocked until Ops deploys span sink. | WebService Guild | +| 2025-11-14 | Connector provenance schema review scheduled; Export Center mirror schema still pending, keeping 56/57 blocked. | Connectors Guild | +| 2025-11-14 | 31-003 instrumentation (counters, chunk histogram, signature failure + guard-violation meters) merged; telemetry export blocked on span sink rollout. | WebService Guild | +| 2025-11-14 | Published `docs/modules/excititor/operations/observability.md` covering new evidence metrics for Ops/Lens dashboards. | Observability Guild | +| 2025-11-16 | Normalized sprint file to standard template, renamed to SPRINT_0119_0001_0001_excititor_i.md, and updated tasks-all references. | Planning | + +## Decisions & Risks +- **Decisions** + - Until Ops span sink lands, keep observability fallback to log-only counters per `docs/modules/excititor/operations/observability.md`. + - If Export Center mirror schema slips, temporarily use placeholder from `docs/modules/export-center/architecture.md` with deltas noted; escalate to Export Center leads. + - Advisory-AI consumers must map observation IDs via projection service; keep aggregation-only stance (no consensus logic) for all new APIs. +- **Risks & Mitigations** + - Observability sinks not ready for 31-003 → reuse Signals dashboards; ship log-only fallback. Severity: Medium. + - Mirror bundle schema slips (Export Center/AirGap) → use placeholder schema; escalate; severity: High. + - Attestation verifier misses 2025-11-16 target → daily stand-ups; parallel diagnostics; severity: High. + - Connector signer metadata incomplete → stage connector-specific TODOs and feature flag partial rollout; severity: Medium. + +## Next Checkpoints +| Date (UTC) | Session / Owner | Goal | Fallback | +| --- | --- | --- | --- | +| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for CONN-TRUST-01-001. | If schema not ready, keep task blocked and request interim metadata list from connectors. | +| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock 56/57. | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. | +| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock 73-* tasks. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. | +| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for 31-003. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. | +| 2025-11-19 | Connector metadata inventory (Connectors Guild) | Confirm signer metadata coverage for CONN-TRUST-01-001 rollout. | Fall back to partial coverage with feature flags. | diff --git a/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md b/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md new file mode 100644 index 000000000..f94f4b63a --- /dev/null +++ b/docs/implplan/SPRINT_0120_0000_0001_policy_reasoning.md @@ -0,0 +1,78 @@ +# Sprint 0120-0000-0001 · Policy & Reasoning + +## Topic & Scope +- Deliver ledger observability baselines (LEDGER-29-007/008/009) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant. +- Extend ledger provenance to orchestrator jobs, air-gapped bundle imports, and attestation evidence (LEDGER-34-101, LEDGER-AIRGAP-56/57/58, LEDGER-ATTEST-73-001). +- Ship deployment collateral (Helm/Compose, backup/restore, offline kit) so downstream guilds can adopt without bespoke guidance. +- Working directory: `src/Findings/StellaOps.Findings.Ledger`. + +## Dependencies & Concurrency +- Upstream obligations: Sprint 110.A AdvisoryAI must land; Observability Guild must sign off `ledger_*` metric schema; mirror bundle schema freeze required before LEDGER-AIRGAP-*; attestation pointer schema must align with NOTIFY-ATTEST-74-001. +- Concurrency guardrails: execute tasks in order DOING → TODO → BLOCKED; orchestrator export contract is tracked with Sprint 150.A to avoid cross-guild contention. +- Entry criteria: upstream AdvisoryAI deliverables complete; Observability-approved metric names/labels; published mirror bundle schemas for AirGap kits. +- Exit criteria: metrics/logs/dashboards live in ops telemetry packs with alerts; determinism/load harness produces signed 5 M findings report; deployment manifests + offline kits reviewed by DevOps/AirGap guilds; ledger records pointers to orchestrator runs, bundle provenance, and attestation envelopes. + +**External dependency tracker** +| Dependency | Current state (2025-11-13) | Impact | +| --- | --- | --- | +| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. | +| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. | +| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. | +| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. | +| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. | + +**Cluster snapshot** +| Cluster | Linked tasks | Owners | Status snapshot | Notes | +| --- | --- | --- | --- | --- | +| Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). | +| Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. | +| Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. | +| Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. | +| Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. | + +## Documentation Prerequisites +- `docs/modules/findings-ledger/observability.md` +- `docs/modules/findings-ledger/replay-harness.md` +- `docs/modules/findings-ledger/deployment.md` +- `docs/modules/findings-ledger/implementation_plan.md` +- `docs/modules/findings-ledger/airgap-provenance.md` +- `docs/observability/policy.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | LEDGER-29-007 | TODO | Observability metric schema sign-off; deps LEDGER-29-006 | Findings Ledger Guild, Observability Guild / `src/Findings/StellaOps.Findings.Ledger` | Instrument `ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`, structured logs, Merkle anchoring alerts, and publish dashboards. | +| 2 | LEDGER-29-008 | TODO | Depends on LEDGER-29-007 instrumentation | Findings Ledger Guild, QA Guild / `src/Findings/StellaOps.Findings.Ledger` | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5 M findings/tenant. | +| 3 | LEDGER-29-009 | TODO | Depends on LEDGER-29-008 harness results | Findings Ledger Guild, DevOps Guild / `src/Findings/StellaOps.Findings.Ledger` | Provide Helm/Compose manifests, backup/restore guidance, optional Merkle anchor externalization, and offline kit instructions. | +| 4 | LEDGER-34-101 | TODO | Orchestrator ledger export contract (Sprint 150.A) | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. | +| 5 | LEDGER-AIRGAP-56-001 | TODO | Mirror bundle schema freeze | Findings Ledger Guild / `src/Findings/StellaOps.Findings.Ledger` | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. | +| 6 | LEDGER-AIRGAP-56-002 | TODO | Depends on LEDGER-AIRGAP-56-001 | Findings Ledger Guild, AirGap Time Guild / `src/Findings/StellaOps.Findings.Ledger` | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. | +| 7 | LEDGER-AIRGAP-57-001 | TODO | Depends on LEDGER-AIRGAP-56-002 | Findings Ledger Guild, Evidence Locker Guild / `src/Findings/StellaOps.Findings.Ledger` | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. | +| 8 | LEDGER-AIRGAP-58-001 | TODO | Depends on LEDGER-AIRGAP-57-001 | Findings Ledger Guild, AirGap Controller Guild / `src/Findings/StellaOps.Findings.Ledger` | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. | +| 9 | LEDGER-ATTEST-73-001 | TODO | Attestation pointer schema alignment with NOTIFY-ATTEST-74-001 | Findings Ledger Guild, Attestor Service Guild / `src/Findings/StellaOps.Findings.Ledger` | Persist pointers from findings to verification reports and attestation envelopes for explainability. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild | +| 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild | +| 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild | +| 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild | +| 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild | +| 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild | +| 2025-11-16 | Normalised sprint to standard template and renamed to `SPRINT_0120_0000_0001_policy_reasoning.md`; no content changes beyond reformat. | Project Management | +| 2025-11-16 | Added `src/Findings/AGENTS.md` synthesising required reading, boundaries, determinism/observability rules for implementers. | Project Management | + +## Decisions & Risks +- Metric names locked by 2025-11-15 and documented in `docs/observability/policy.md` to avoid schema churn. +- Replay workload risk: 5 M findings load may exceed lab capacity; mitigation is to use the QA replay rig and capture CPU/memory budgets in runbooks. +- Air-gap drift risk: mirror bundle format still moving; mitigation is to version the provenance schema and gate LEDGER-AIRGAP-* merges until docs/manifests updated. +- Cross-guild lag risk: Orchestrator/Attestor dependencies may delay provenance pointers; mitigation is weekly sync notes and feature flags so ledger work can land behind toggles. +- Implementer contract now anchored in `src/Findings/AGENTS.md`; keep in sync with module docs and update sprint log when changed. + +## Next Checkpoints +- 2025-11-15 · Metrics + dashboard schema sign-off — Observability Guild — unblocks LEDGER-29-007 instrumentation PR. +- 2025-11-18 · Determinism + replay harness dry-run at 5 M findings — QA Guild — required before LEDGER-29-008 can close. +- 2025-11-20 · Helm/Compose manifests + backup doc review — DevOps Guild · AirGap Controller Guild — needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001. +- 2025-11-22 · Mirror bundle provenance schema freeze — AirGap Time Guild — enables LEDGER-AIRGAP-56/57/58 sequencing. +- 2025-11-25 · Orchestrator ledger export contract signed — Orchestrator Guild — prerequisite for LEDGER-34-101 linkage. diff --git a/docs/implplan/SPRINT_110_ingestion_evidence.md b/docs/implplan/SPRINT_110_ingestion_evidence.md index dd3655326..84122f1a5 100644 --- a/docs/implplan/SPRINT_110_ingestion_evidence.md +++ b/docs/implplan/SPRINT_110_ingestion_evidence.md @@ -23,32 +23,34 @@ | --- | --- | --- | --- | --- | --- | | 110.A Advisory AI | DOCS-AIAI-31-004 | DOING | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-001/003 | Guardrail console doc drafted; screenshots + SBOM evidence pending. | | 110.A Advisory AI | AIAI-31-009 | DONE (2025-11-12) | Advisory AI Guild | — | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. | -| 110.A Advisory AI | AIAI-31-008 | TODO | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Remote inference packaging queued behind policy knob work. | +| 110.A Advisory AI | AIAI-31-008 | BLOCKED | Advisory AI Guild | AIAI-31-006; AIAI-31-007 | Blocked pending policy knob deliverables (AIAI-31-006/007). | | 110.A Advisory AI | SBOM-AIAI-31-003 | BLOCKED | SBOM Service Guild | SBOM-AIAI-31-001; CLI-VULN-29-001; CLI-VEX-30-001 | Needs SBOM delta kit + CLI deliverables before validation can proceed. | | 110.A Advisory AI | DOCS-AIAI-31-005/006/008/009 | BLOCKED | Docs Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | CLI/policy/ops docs paused pending upstream artefacts. | -| 110.B Concelier | CONCELIER-AIAI-31-002 | DOING | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Structured field/caching implementation gated on schema approval. | +| 110.B Concelier | CONCELIER-AIAI-31-002 | BLOCKED | Concelier Core · Concelier WebService Guilds | CONCELIER-GRAPH-21-001/002; CARTO-GRAPH-21-002 | Blocked: Link-Not-Merge schema still not approved; cannot finalize structured field/caching. | | 110.B Concelier | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | Concelier Observability Guild | — | Telemetry counters/histograms live for Advisory AI dashboards. | -| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | TODO | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Air-gap bundles waiting on stable schema + attestation payloads. | -| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | TODO | Concelier Console Guild | Link-Not-Merge schema | Console overlays blocked until schema signed off. | -| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | TODO | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Attestation metadata wiring follows structured caching. | +| 110.B Concelier | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | Concelier Core · AirGap Guilds | Link-Not-Merge schema; Evidence Locker attestation contract | Blocked until schema approval + attestation scope sign-off. | +| 110.B Concelier | CONCELIER-CONSOLE-23-001..003 | BLOCKED | Concelier Console Guild | Link-Not-Merge schema | Blocked pending Link-Not-Merge schema approval. | +| 110.B Concelier | CONCELIER-ATTEST-73-001/002 | BLOCKED | Concelier Core · Evidence Locker Guild | CONCELIER-AIAI-31-002; Evidence Locker contract | Blocked until structured caching lands and Evidence Locker contract finalises. | | 110.B Concelier | FEEDCONN-ICSCISA-02-012 / FEEDCONN-KISA-02-008 | BLOCKED | Concelier Feed Owners | Feed owner remediation plan | Overdue provenance refreshes require schedule from feed owners. | | 110.C Excititor | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | Excititor Web/Core Guilds | — | Normalised VEX justification projections shipped. | -| 110.C Excititor | EXCITITOR-AIAI-31-002 | TODO | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Chunk API waiting on schema + ingest agreements. | -| 110.C Excititor | EXCITITOR-AIAI-31-003 | TODO | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Telemetry/guardrail metrics follow chunk API. | -| 110.C Excititor | EXCITITOR-AIAI-31-004 | TODO | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Docs/OpenAPI alignment queued behind chunk API finalisation. | -| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | TODO | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Attestation payload ordering awaiting sequencing session. | -| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | TODO | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Air-gap + connector parity depend on schema + attestation readiness. | -| 110.D Mirror | MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | Staffing decision | Deterministic assembler has no owner; kickoff rescheduled to 2025-11-15. | -| 110.D Mirror | MIRROR-CRT-56-002 | TODO | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | DSSE/TUF metadata follows assembler baseline. | -| 110.D Mirror | MIRROR-CRT-57-001/002 | TODO | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | OCI/time-anchor workstreams blocked pending assembler + time contract. | -| 110.D Mirror | MIRROR-CRT-58-001/002 | TODO | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | CLI + Export automation depends on assembler and DSSE/TUF track. | -| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | TODO | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Downstream automation awaiting assembler staffing outcome. | +| 110.C Excititor | EXCITITOR-AIAI-31-002 | BLOCKED | Excititor Web/Core Guilds | Link-Not-Merge schema; Evidence Locker contract | Blocked until schema + ingest contract approved. | +| 110.C Excititor | EXCITITOR-AIAI-31-003 | BLOCKED | Excititor Observability Guild | EXCITITOR-AIAI-31-002 | Blocked behind EXCITITOR-AIAI-31-002. | +| 110.C Excititor | EXCITITOR-AIAI-31-004 | BLOCKED | Docs Guild · Excititor Guild | EXCITITOR-AIAI-31-002 | Blocked until chunk API finalized. | +| 110.C Excititor | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | BLOCKED | Excititor Guild · Evidence Locker Guild | EXCITITOR-AIAI-31-002; Evidence Locker contract | Blocked pending chunk API + Evidence Locker attestation scope. | +| 110.C Excititor | EXCITITOR-AIRGAP-56/57/58 · EXCITITOR-CONN-TRUST-01-001 | BLOCKED | Excititor Guild · AirGap Guilds | Link-Not-Merge schema; attestation plan | Blocked until schema + attestation readiness. | +| 110.D Mirror | MIRROR-CRT-56-001 | BLOCKED | Mirror Creator Guild | Staffing decision | Blocked: no owner assigned; kickoff slipped past 2025-11-15. | +| 110.D Mirror | MIRROR-CRT-56-002 | BLOCKED | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Blocked until MIRROR-CRT-56-001 staffed. | +| 110.D Mirror | MIRROR-CRT-57-001/002 | BLOCKED | Mirror Creator Guild · AirGap Time Guild | MIRROR-CRT-56-001; AIRGAP-TIME-57-001 | Blocked; upstream staffing unresolved. | +| 110.D Mirror | MIRROR-CRT-58-001/002 | BLOCKED | Mirror Creator Guild · CLI Guild · Exporter Guild | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | Blocked until assembler staffed and upstream contracts agreed. | +| 110.D Mirror | EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Exporter Guild · AirGap Time Guild · CLI Guild | MIRROR-CRT-56-001 staffing | Blocked pending MIRROR-CRT-56-001 ownership. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2025-11-13 | Refreshed wave tracker, decisions, and contingency plan ahead of 14–15 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads | | 2025-11-09 | Captured initial wave scope, interlocks, and risks covering SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, and Mirror assembler commitments. | Sprint 110 leads | +| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, and Mirror staffing decisions. | Implementer | +| 2025-11-16 | Marked CONCELIER-AIAI-31-002 BLOCKED (waiting on Link-Not-Merge schema approval); progressed DOCS-AIAI-31-004 doc draft. | Implementer | ## Decisions & Risks ### Decisions in flight diff --git a/docs/implplan/SPRINT_111_advisoryai.md b/docs/implplan/SPRINT_111_advisoryai.md index 499fb5b44..04f9848f2 100644 --- a/docs/implplan/SPRINT_111_advisoryai.md +++ b/docs/implplan/SPRINT_111_advisoryai.md @@ -12,16 +12,19 @@ DOCS-AIAI-31-006 | DONE (2025-11-13) | `/docs/policy/assistant-parameters.md` no > 2025-11-13: Published `docs/policy/assistant-parameters.md`, added env-var mapping tables, and linked the page from Advisory AI architecture so guild owners can trace DOCS-AIAI-31-006 to Sprint 111. DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). Dependencies: SBOM-AIAI-31-001. | Docs Guild, SBOM Service Guild (docs) DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. Dependencies: DEVOPS-AIAI-31-001. | Docs Guild, DevOps Guild (docs) -SBOM-AIAI-31-003 | TODO (2025-11-03) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001. | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService) -AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) +SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | Publish the Advisory AI hand-off kit for `/v1/sbom/context`, share base URL/API key + tenant header contract, and run a joint end-to-end retrieval smoke test with Advisory AI. Dependencies: SBOM-AIAI-31-001 (not yet delivered). | SBOM Service Guild, Advisory AI Guild (src/SbomService/StellaOps.SbomService) +AIAI-31-008 | BLOCKED (2025-11-16) | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. Dependencies: AIAI-31-006..007 (done) plus DEVOPS-AIAI-31-001 runbook. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) AIAI-31-009 | DONE (2025-11-12) | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. Dependencies: AIAI-31-001..006. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI) | > 2025-11-03: WebService/Worker scaffolds created with in-memory cache/queue, minimal APIs (`/api/v1/advisory/plan`, `/api/v1/advisory/queue`), metrics counters, and plan cache instrumentation; worker processes queue using orchestrator. +> 2025-11-16: SBOM-AIAI-31-003 marked BLOCKED pending SBOM-AIAI-31-001 projection kit + smoke plan. +> 2025-11-16: AIAI-31-008 marked BLOCKED pending DEVOPS-AIAI-31-001 runbook for on-prem/remote packaging. > 2025-11-04: SBOM base address now flows via `SbomContextClientOptions.BaseAddress`, worker emits queue/plan metrics, and orchestrator cache keys expanded to cover SBOM hash inputs. -DOCS-AIAI-31-004 | DOING (2025-11-07) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001. | Docs Guild, Console Guild (docs) +DOCS-AIAI-31-004 | BLOCKED (2025-11-16) | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. Dependencies: CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, EXCITITOR-CONSOLE-23-001 (not yet delivered). | Docs Guild, Console Guild (docs) > 2025-11-07: Draft doc committed (`docs/advisory-ai/console.md`) with workflow outline; screenshots will be added once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship. +> 2025-11-16: DOCS-AIAI-31-004 marked BLOCKED; console widgets and Excititor feed endpoints still pending, cannot capture final screenshots/flows. > 2025-11-08: Console endpoints are staffed (CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 DOING); still waiting on EXCITITOR-CONSOLE-23-001 feeds before capturing screenshots/tests. > 2025-11-09: Guardrail/inference sections and offline playbooks documented; screenshot placeholders remain open. DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. Dependencies: CLI-VULN-29-001, CLI-VEX-30-001, AIAI-31-004C. | Docs Guild, DevEx/CLI Guild (docs) diff --git a/docs/implplan/SPRINT_112_concelier_i.md b/docs/implplan/SPRINT_112_concelier_i.md deleted file mode 100644 index e0159a249..000000000 --- a/docs/implplan/SPRINT_112_concelier_i.md +++ /dev/null @@ -1,99 +0,0 @@ -# Sprint 112 · Concelier.I — Canonical Evidence & Provenance (Rebaseline 2025-11-13) - -Phase 110.B keeps Concelier focused on ingestion fidelity and evidence APIs. All active work here assumes Advisory AI consumes *canonical* advisory documents (no merge transforms) and that every field we emit carries exact provenance anchors. - -## Canonical Model Commitments -- **Single source of truth:** `/advisories/{key}/chunks` must render from the canonical `Advisory` aggregate (document id + latest observation set), never from derived cache copies. -- **Provenance anchors:** Each structured field cites both the Mongo `_id` of the backing observation document and the JSON Pointer into that observation (`observationPath`). This mirrors how GHSA’s GraphQL `securityAdvisory.references` and Cisco PSIRT’s `openVuln` feeds expose source handles, so downstream tooling can reconcile fields deterministically. -- **Deterministic ordering:** Sort structured entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes. We are keeping this policy “as-is” for now to avoid churn in Advisory AI prompts. -- **External parity:** Continue mapping fields named in competitor docs (GitHub Security Advisory GraphQL, Red Hat CVE data API, Cisco PSIRT openVuln) so migrations remain predictable. - -## Workstream A — Advisory AI Structured Fields (AIAI-31) -Task ID | State | Exit criteria | Owners ---- | --- | --- | --- -CONCELIER-AIAI-31-002 `Structured fields` | DOING | 1) Program.cs endpoint fully rewritten to resolve the canonical advisory (via `IAdvisoryStore`/`IAliasStore`) and issue structured field entries. 2) Cache key = `tenant + AdvisoryFingerprint`. 3) Responses contain `{chunkId, fingerprint, entries[], provenance.documentId, provenance.observationPath}` with deterministic ordering. 4) Tests updated (`StatementProvenanceEndpointAttachesMetadata`, new structured chunk fixture) and Mongo2Go coverage passes. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-AIAI-31-003 `Advisory AI telemetry` | DONE (2025-11-12) | OTEL counters (`advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, `advisory_ai_guardrail_blocks_total`) tagged with tenant/result/cache. Nothing further planned unless guardrail policy changes. | Concelier WebService Guild · Observability Guild - -### Implementation checklist (kept inline until CONCELIER-AIAI-31-002 ships) -1. Add `ResolveAdvisoryAsync` helper with alias fallback + tenant guard. -2. Update `AdvisoryChunkCacheKey` to include `AdvisoryFingerprint`. -3. Rewrite `/advisories/{key}/chunks` handler to call the structured builder and emit provenance anchors. -4. Refresh telemetry tests to assert `Response.Entries.Count`. -5. Extend docs (`docs/provenance/inline-dsse.md` + Advisory AI API reference) with the structured schema mirroring GHSA / Cisco references. - -## Workstream B — Mirror & Offline Provenance (AIRGAP-56/57/58) -Task ID | State | Exit criteria / notes | Owners ---- | --- | --- | --- -CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Implement read paths for Offline Kit bundles, persist `bundleId`, `merkleRoot`, and maintain append-only ledger comparisons. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Every observation/linkset stores `{bundleId, merkleRoot, observationPath}` so exported evidence can cite provenance exactly once; depends on 56-001. | Concelier Core Guild · AirGap Importer Guild -CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Feature flag + policy that rejects non-mirror connectors with actionable diagnostics; depends on 56-001. | Concelier Core Guild · AirGap Policy Guild -CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Compute `fetchedAt/publishedAt/clockSource` deltas per bundle and expose via observation APIs without mutating evidence; depends on 56-002. | Concelier Core Guild · AirGap Time Guild -CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Package advisory observations/linksets + provenance notes (document id + observationPath) into timeline-bound portable bundles with verifier instructions; depends on 57-002. | Concelier Core Guild · Evidence Locker Guild - -## Workstream C — Transparency & Attestor (ATTEST-73) -Task ID | State | Exit criteria / notes | Owners ---- | --- | --- | --- -CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Emit `{observationDigest, linksetDigest, documentId}` pairs required by Attestor so DSSE bundles include the same provenance anchors Advisory AI emits. | Concelier Core Guild · Attestor Service Guild -CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Read APIs expose `bundleId`, Rekor references, and observation paths for external transparency explorers; depends on 73-001. | Concelier Core Guild - -## Workstream D — Console & Search Surfaces (CONSOLE-23) -Task ID | State | Exit criteria / notes | Owners ---- | --- | --- | --- -CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | `/console/advisories` returns grouped linksets with per-source severity/status chips plus `{documentId, observationPath}` provenance references (matching GHSA + Red Hat CVE browser expectations); depends on CONCELIER-LNM-21-201/202. | Concelier WebService Guild · BE-Base Platform Guild -CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Deterministic “new/modified/conflicting” sets referencing linkset IDs and field paths rather than computed verdicts; depends on 23-001. | Concelier WebService Guild -CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | CVE/GHSA/PURL lookups return observation excerpts, provenance anchors, and cache hints so tenants can preview evidence safely; reuse structured field taxonomy from Workstream A. | Concelier WebService Guild - -## Workstream E — Tenant Scope & AOC Guardrails -Task ID | State | Exit criteria / notes | Owners ---- | --- | --- | --- -CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Expand smoke/e2e suites so Authority tokens + tenant headers are mandatory for ingest/read paths (including the new provenance endpoint). Must assert no merge-side effects and that provenance anchors always round-trip. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) - -## Recent Updates -- 2025-11-12: CONCELIER-AIAI-31-003 shipped OTEL counters for Advisory AI chunk traffic; dashboards now display cache hit ratios and guardrail blocks per tenant. -- 2025-11-13: Sprint rebaseline complete; structured field scope locked to canonical model + provenance anchors, matching competitor schemas for short-term parity. - -## Current status (2025-11-13) - -| Workstream | State | Notes | -| --- | --- | --- | -| A – Advisory AI structured fields | 🔶 DOING | CONCELIER-AIAI-31-002 code work in progress; schema locked, telemetry landed, release blocked on Link-Not-Merge + CARTO schemas. | -| B – Mirror & offline provenance | 🔴 BLOCKED | No work can start until MIRROR-CRT-56-001 staffing and Offline Kit bundle contracts finalize. | -| C – Transparency & Attestor | 🔴 BLOCKED | Waiting on Workstream A output plus attestation backlog sequencing (Sprint 110/Excititor). | -| D – Console & search surfaces | 🔶 WATCHING | Scoped but dependencies on Link-Not-Merge + Console backlog; preparing schema docs in parallel. | -| E – Tenant scope & AOC guardrails | 🔶 WATCHING | Requires Authority smoke coverage; no active engineering yet but tests ready to clone once structured endpoint stabilizes. | - -## Blockers & dependencies - -| Dependency | Impacted work | Owner(s) | Status | -| --- | --- | --- | --- | -| Link-Not-Merge schema (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) | Workstream A release, Workstream D APIs | Concelier Core · Cartographer Guild · Platform Events Guild | Review scheduled 2025-11-14; approval required before shipping structured fields/console APIs. | -| MIRROR-CRT-56-001 staffing | Workstream B (AIRGAP-56/57/58) | Mirror Creator Guild · Exporter Guild · AirGap Time Guild | Owner not assigned (per Sprint 110); kickoff on 2025-11-15 must resolve. | -| Evidence Locker attestation contract | Workstream C (ATTEST-73) | Evidence Locker Guild · Concelier Core | Needs alignment with Excititor attestation plan on 2025-11-15. | -| Authority scope smoke coverage (`CONCELIER-CORE-AOC-19-013`) | Workstream E | Concelier Core · Authority Guild | Waiting on structured endpoint readiness + AUTH-SIG-26-001 validation. | - -## Next actions (target: 2025-11-16) - -| Workstream | Owner(s) | Action | Status | -| --- | --- | --- | --- | -| A | Concelier WebService Guild | Finish `ResolveAdvisoryAsync`, cache key update, and structured response builder; prep PR for review once schema approved. | In progress | -| A | Docs Guild | Draft structured field schema appendix referencing provenance anchors for Advisory AI docs. | Pending | -| B | Concelier Core + Mirror leadership | Join 2025-11-15 kickoff, capture MIRROR-CRT-56-001 owner, and align bundle metadata contract. | Pending | -| C | Concelier Core + Evidence Locker | Produce attestation payload outline so ATTEST-73-001 can start immediately after sequencing meeting. | Pending | -| D | Concelier WebService Guild | Prepare `/console/advisories` API spec (field list, provenance references) so implementation can begin once Link-Not-Merge clears. | Drafting | -| E | Concelier Core | Clone Authority smoke suites to cover new structured endpoint once Workstream A enters review. | Pending | - -## Standup prompts - -1. Has Link-Not-Merge schema review resolved all blocking comments? If not, what fields remain at risk? -2. Who will own MIRROR-CRT-56-001 after the 2025-11-15 kickoff, and do we have staffing for follow-on AIRGAP tasks? -3. Did Evidence Locker accept the attestation contract draft, enabling ATTEST-73-001 to move forward? -4. Are Authority/AOC smoke tests ready to clone once structured fields release, or do we need additional scope from AUTH-SIG-26-001? - -## Risks (snapshot 2025-11-13) - -| Risk | Impact | Mitigation / owner | -| --- | --- | --- | -| Link-Not-Merge schema slips past 2025-11-14 | Structured fields + console APIs stay unreleased, blocking Advisory AI and Console surfaces. | Push for schema sign-off during 2025-11-14 review; prep fallback adapter if necessary. | -| Mirror staffing unresolved | AirGap provenance work (AIRGAP-56/57/58) cannot start, delaying Offline Kit parity. | Escalate at 2025-11-15 kickoff; consider borrowing engineers from Evidence Locker or Export guilds. | -| Evidence Locker contract delay | ATTEST-73 work cannot begin, leaving Advisory AI without attested provenance. | Align with Excititor/Evidence Locker owners during 2025-11-15 sequencing session; draft interim spec. | -| Authority smoke coverage gap | AOC guardrails may regress when structured endpoint ships. | Schedule paired testing with Authority guild once Workstream A PR is ready. | diff --git a/docs/implplan/SPRINT_113_concelier_ii.md b/docs/implplan/SPRINT_113_concelier_ii.md deleted file mode 100644 index 34553472f..000000000 --- a/docs/implplan/SPRINT_113_concelier_ii.md +++ /dev/null @@ -1,24 +0,0 @@ -# Sprint 113 - Ingestion & Evidence · 110.B) Concelier.II - -Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08). - -[Ingestion & Evidence] 110.B) Concelier.II -Depends on: Sprint 110.B - Concelier.I -Summary: Ingestion & Evidence focus on Concelier (phase II). -Task ID | State | Task description | Owners (Source) ---- | --- | --- | --- -CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Add batch fetch endpoints keyed by component sets so graph tooltips can pull raw observations/linksets efficiently; include provenance + timestamps but no derived severity. Depends on CONCELIER-GRAPH-24-101. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Define the immutable `advisory_observations` model (per-source fields, version ranges, severity text, provenance metadata, tenant guards) so every ingestion path records raw statements without merge artifacts. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-LNM-21-002 `Linkset builder` | TODO | Implement correlation pipelines (alias graph, purl overlap, CVSS vector compare) that output linksets with confidence scores + conflict markers, never collapsing conflicting facts into single values. Depends on CONCELIER-LNM-21-001. | Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Record disagreements (severity, CVSS, references) on linksets as structured conflict entries so consumers can reason about divergence without Concelier resolving it. Depends on CONCELIER-LNM-21-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-LNM-21-004 `Merge code removal` | TODO | Delete legacy merge/dedup logic, add guardrails/tests to keep ingestion append-only, and document how linksets supersede the old merge outputs. Depends on CONCELIER-LNM-21-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-LNM-21-005 `Event emission` | TODO | Emit `advisory.linkset.updated` events containing delta descriptions + observation ids so downstream evaluators can subscribe deterministically. Depends on CONCELIER-LNM-21-004. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-LNM-21-101 `Observations collections` | TODO | Provision the Mongo collections (`advisory_observations`, `advisory_linksets`) with hashed shard keys, tenant indexes, and TTL for ingest metadata to support Link-Not-Merge at scale. Depends on CONCELIER-LNM-21-005. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo) -CONCELIER-LNM-21-102 `Migration tooling` | TODO | Backfill legacy merged advisories into the new observation/linkset collections, seed tombstones for deprecated docs, and provide rollback tooling for Offline Kit operators. Depends on CONCELIER-LNM-21-101. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo) -CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Move large raw payloads to object storage with deterministic pointers, update bootstrapper/offline kit seeds, and guarantee provenance metadata remains intact. Depends on CONCELIER-LNM-21-102. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo) -CONCELIER-LNM-21-201 `Observation APIs` | TODO | Add `/advisories/observations` with filters for alias/purl/source plus strict tenant scopes; responses must only echo upstream values + provenance fields. Depends on CONCELIER-LNM-21-103. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Implement `/advisories/linksets`/`export`/`evidence` endpoints surfacing correlation + conflict payloads and `ERR_AGG_*` error mapping, never exposing synthesis/merge results. Depends on CONCELIER-LNM-21-201. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-LNM-21-203 `Ingest events` | TODO | Publish idempotent NATS/Redis events for new observations/linksets with schemas documented for downstream consumers; include tenant + provenance references only. Depends on CONCELIER-LNM-21-202. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService) diff --git a/docs/implplan/SPRINT_114_concelier_iii.md b/docs/implplan/SPRINT_114_concelier_iii.md deleted file mode 100644 index a9aea2283..000000000 --- a/docs/implplan/SPRINT_114_concelier_iii.md +++ /dev/null @@ -1,23 +0,0 @@ -# Sprint 114 - Ingestion & Evidence · 110.B) Concelier.III - -Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08). - -[Ingestion & Evidence] 110.B) Concelier.III -Depends on: Sprint 110.B - Concelier.II -Summary: Ingestion & Evidence focus on Concelier (phase III). -Task ID | State | Task description | Owners (Source) ---- | --- | --- | --- -CONCELIER-OAS-61-001 `Spec coverage` | TODO | Update the OpenAPI spec so every observation/linkset/timeline endpoint documents provenance fields, tenant scopes, and AOC guarantees (no consensus fields), giving downstream SDKs unambiguous contracts. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OAS-61-002 `Examples library` | TODO | Provide realistic examples (conflict linksets, multi-source severity, timeline snippets) showing how raw advisories are surfaced without merges; wire them into docs/SDKs. Depends on CONCELIER-OAS-61-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Add SDK scenarios covering advisory search, pagination, and conflict handling to ensure each language client preserves provenance fields and does not infer verdicts. Depends on CONCELIER-OAS-61-002. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Implement Sunset/Deprecation headers + timeline notices for legacy endpoints being retired, keeping operators informed while discouraging use of merge-era APIs. Depends on CONCELIER-OAS-62-001. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Emit ingestion latency, queue depth, and AOC violation metrics with burn-rate alerts so we can prove the evidence pipeline remains healthy without resorting to heuristics. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OBS-52-001 `Timeline events` | TODO | Produce timeline records for ingest/normalization/linkset updates containing trace IDs, conflict summaries, and evidence hashes—pure facts for downstream replay. Depends on CONCELIER-OBS-51-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Generate evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests so audits can replay advisory history without touching live Mongo. Depends on CONCELIER-OBS-52-001. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations to advisory batches, expose verification APIs, and link attestation IDs into timeline + ledger for transparency. Depends on CONCELIER-OBS-53-001. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Implement incident-mode levers (extra sampling, retention overrides, redaction guards) that collect more raw evidence without mutating advisory content. Depends on CONCELIER-OBS-54-001. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Register every advisory connector with the orchestrator (metadata, auth scopes, rate policies) so ingest scheduling is transparent and reproducible. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Adopt the orchestrator worker SDK in ingestion loops, emitting heartbeats/progress/artifact hashes to guarantee deterministic replays. Depends on CONCELIER-ORCH-32-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Honor orchestrator pause/throttle/retry controls with structured error outputs and persisted checkpoints so operators can intervene without losing evidence. Depends on CONCELIER-ORCH-32-002. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Execute orchestrator-driven backfills that reuse artifact hashes/signatures, log provenance, and push run metadata to the ledger for audits. Depends on CONCELIER-ORCH-33-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Provide batch advisory lookup APIs for Policy Engine (purl/advisory filters, tenant scopes, explain metadata) so policy can join raw evidence without Concelier suggesting outcomes. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) diff --git a/docs/implplan/SPRINT_115_concelier_iv.md b/docs/implplan/SPRINT_115_concelier_iv.md deleted file mode 100644 index d32e12bd1..000000000 --- a/docs/implplan/SPRINT_115_concelier_iv.md +++ /dev/null @@ -1,22 +0,0 @@ -# Sprint 115 - Ingestion & Evidence · 110.B) Concelier.IV - -Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08). - -[Ingestion & Evidence] 110.B) Concelier.IV -Depends on: Sprint 110.B - Concelier.III -Summary: Ingestion & Evidence focus on Concelier (phase IV). -Task ID | State | Task description | Owners (Source) ---- | --- | --- | --- -CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Expand linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version-range parsing so policy joins become more accurate without Concelier prioritizing sources. Depends on CONCELIER-POLICY-20-001. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Introduce advisory selection cursors + change-stream checkpoints that let Policy Engine process deltas deterministically; include offline migration scripts. Depends on CONCELIER-POLICY-20-002. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo) -CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Add secondary indexes/materialized views (alias, provider severity, correlation confidence) so policy lookups stay fast without caching derived verdicts; document the supported query patterns. Depends on CONCELIER-POLICY-20-003. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Ensure `advisory.linkset.updated` events ship with idempotent IDs, confidence summaries, and tenant metadata so policy consumers can replay evidence feeds safely. Depends on CONCELIER-POLICY-23-001. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Surface vendor-provided CVSS/KEV/fix data exactly as published (with provenance anchors) through provider APIs so risk engines can reason about upstream intent. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Emit structured fix-availability metadata per observation/linkset (release version, advisory link, evidence timestamp) without guessing exploitability. Depends on CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Publish per-source coverage/conflict metrics (counts, disagreements) so explainers can cite which upstream statements exist; no weighting is applied inside Concelier. Depends on CONCELIER-RISK-66-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Wire advisory signal pickers into Policy Studio so curators can select which raw advisory fields feed policy gating; validation must confirm fields are provenance-backed. Depends on POLICY-RISK-68-001. | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-RISK-69-001 `Notification hooks` | TODO | Emit notifications when upstream advisory fields change (e.g., fix available) with observation IDs + provenance so Notifications service can alert without inferring severity. Depends on CONCELIER-RISK-66-002. | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Expose upstream-provided affected symbol/function lists via APIs to help reachability scoring; maintain provenance and do not infer exploitability. Depends on SIGNALS-24-002. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Execute the raw-linkset backfill/rollback plan (`docs/dev/raw-linkset-backfill-plan.md`) so Mongo + Offline Kit bundles reflect Link-Not-Merge data; rehearse rollback. Depends on CONCELIER-CORE-AOC-19-004. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo) -CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Enforce tenant scoping throughout normalization/linking, expose capability endpoint advertising `merge=false`, and ensure events include tenant IDs. Depends on AUTH-TEN-47-001. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) -CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Guarantee advisory key consistency and cross-links consumed by VEX Lens so consensus explanations can cite Concelier evidence without requesting merges. Depends on CONCELIER-VULN-29-001, VEXLENS-30-005. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService) diff --git a/docs/implplan/SPRINT_116_concelier_v.md b/docs/implplan/SPRINT_116_concelier_v.md deleted file mode 100644 index 4def86b60..000000000 --- a/docs/implplan/SPRINT_116_concelier_v.md +++ /dev/null @@ -1,24 +0,0 @@ -# Sprint 116 - Ingestion & Evidence · 110.B) Concelier.V - -Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08). - -[Ingestion & Evidence] 110.B) Concelier.V -Depends on: Sprint 110.B - Concelier.IV -Summary: Ingestion & Evidence focus on Concelier (phase V). -Task ID | State | Task description | Owners (Source) ---- | --- | --- | --- -CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Instrument observation/linkset pipelines with metrics for identifier collisions, withdrawn statements, and chunk latencies; stream them to Vuln Explorer without altering evidence payloads. Depends on CONCELIER-VULN-29-001. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalogs, and enforce sealed-mode by blocking direct internet feeds. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Add staleness + bundle provenance metadata to `/advisories/observations` and `/advisories/linksets` so operators can see freshness without Excitior deriving outcomes. Depends on CONCELIER-WEB-AIRGAP-56-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Map sealed-mode violations to consistent `AIRGAP_EGRESS_BLOCKED` payloads that explain how to remediate, leaving advisory content untouched. Depends on CONCELIER-WEB-AIRGAP-56-002. | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Emit timeline events for bundle imports (bundle ID, scope, actor) so audit trails capture every evidence change. Depends on CONCELIER-WEB-AIRGAP-57-001. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | Add unit tests for schema validators, forbidden-field guards (`ERR_AOC_001/2/6/7`), and supersedes chains to keep ingestion append-only. Depends on CONCELIER-WEB-AOC-19-002. | QA Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Create integration tests that ingest large advisory batches (cold/warm), verify reproducible linksets, and record metrics/fixtures for Offline Kit rehearsals. Depends on CONCELIER-WEB-AOC-19-003. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AOC-19-005 `Chunk evidence regression` | TODO (2025-11-08) | Fix `/advisories/{key}/chunks` test data so pre-seeded raw docs resolve correctly; ensure Mongo migrations stop logging “Unable to locate advisory_raw documents” during tests. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AOC-19-006 `Allowlist ingest auth parity` | TODO (2025-11-08) | Align default auth/tenant configs with the test fixtures so allowlisted tenants can ingest before forbidden tenants are rejected, closing the gap in `AdvisoryIngestEndpoint_RejectsTenantOutsideAllowlist`. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-AOC-19-007 `AOC verify violation codes` | TODO (2025-11-08) | Update AOC verify logic so guard failures emit `ERR_AOC_001` (not `_004`) and keep mapper/guard parity covered by regression tests. Depends on CONCELIER-WEB-AOC-19-002. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Ensure every API returns the standardized error envelope and update controllers/tests accordingly (prereq for SDK/doc alignment). | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Publish curated examples for observations/linksets/conflicts and wire them into the developer portal. Depends on CONCELIER-WEB-OAS-61-002. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Emit deprecation headers + notifications for retiring endpoints, steering clients toward Link-Not-Merge APIs. Depends on CONCELIER-WEB-OAS-62-001. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Add `/obs/concelier/health` surfaces for ingest health, queue depth, and SLO status so Console widgets can display real-time evidence pipeline stats. Depends on CONCELIER-WEB-OBS-50-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE stream `/obs/concelier/timeline` with paging tokens, guardrails, and audit logging so operators can monitor evidence changes live. Depends on CONCELIER-WEB-OBS-51-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) diff --git a/docs/implplan/SPRINT_117_concelier_vi.md b/docs/implplan/SPRINT_117_concelier_vi.md deleted file mode 100644 index 71df6e749..000000000 --- a/docs/implplan/SPRINT_117_concelier_vi.md +++ /dev/null @@ -1,16 +0,0 @@ -# Sprint 117 - Ingestion & Evidence · 110.B) Concelier.VI - -Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08). - -[Ingestion & Evidence] 110.B) Concelier.VI -Depends on: Sprint 110.B - Concelier.V -Summary: Ingestion & Evidence focus on Concelier (phase VI). -Task ID | State | Task description | Owners (Source) ---- | --- | --- | --- -CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Add `/evidence/advisories/*` routes that proxy evidence locker snapshots, verify `evidence:read` scopes, and return signed manifest metadata—no shortcut paths into raw storage. Depends on CONCELIER-WEB-OBS-52-001. | Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Provide `/attestations/advisories/*` endpoints surfacing DSSE status, verification summary, and provenance chain so CLI/Console can audit trust without hitting databases. Depends on CONCELIER-WEB-OBS-53-001. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) -CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Implement incident-mode APIs that coordinate ingest, locker, and orchestrator, capturing activation events + cooldown semantics but leaving evidence untouched. Depends on CONCELIER-WEB-OBS-54-001. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService) -FEEDCONN-CCCS-02-009 `Version range provenance (Oct 2025)` | TODO | Emit CCCS version ranges into `advisory_observations.affected.versions[]` with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys per the Link-Not-Merge schema/doc recipes. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild – CCCS (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs) -FEEDCONN-CERTBUND-02-010 `Version range provenance` | TODO | Translate CERT-Bund `product.Versions` phrases into normalized ranges + provenance identifiers (`certbund:{advisoryId}:{vendor}`) while retaining localisation notes; update mapper/tests for Link-Not-Merge. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild – CertBund (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund) -FEEDCONN-CISCO-02-009 `SemVer range provenance` | DOING (2025-11-08) | Emit Cisco SemVer ranges into the new observation schema with provenance IDs (`cisco:{productId}`) and deterministic comparison keys; refresh fixtures to remove merge counters. Depends on CONCELIER-LNM-21-001. | Concelier Connector Guild – Cisco (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco) -DOCS-LNM-22-008 `No-merge migration doc` | DONE (2025-11-03) | Documented Link-Not-Merge migration plan in `docs/migration/no-merge.md`; keep synced with ongoing tasks. | Docs Guild, DevOps Guild (docs) diff --git a/docs/implplan/SPRINT_119_excititor_i.md b/docs/implplan/SPRINT_119_excititor_i.md deleted file mode 100644 index 32f16b07e..000000000 --- a/docs/implplan/SPRINT_119_excititor_i.md +++ /dev/null @@ -1,102 +0,0 @@ -# Sprint 119 - Ingestion & Evidence · 110.C) Excititor.I - -Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08). - -[Ingestion & Evidence] 110.C) Excititor.I -Depends on: Sprint 100.A - Attestor -Summary: Ingestion & Evidence focus on Excititor (phase I). -> **Prep:** Read `docs/modules/excititor/architecture.md` and the relevant Excititor `AGENTS.md` files (per component directory) before working any tasks below; this preserves the guidance that previously lived in the component boards. -Task ID | State | Task description | Owners (Source) ---- | --- | --- | --- -EXCITITOR-AIAI-31-001 `Justification enrichment` | DONE (2025-11-12) | Expose normalized VEX justifications, product scope trees, and paragraph/JSON-pointer anchors via `VexObservation` projections so Advisory AI can cite raw evidence without invoking any consensus logic. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) -EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Ship `/vex/evidence/chunks` with tenant/policy filters that streams raw statements, signature metadata, and scope scores for Retrieval-Augmented Generation clients; response must stay aggregation-only and reference observation/linkset IDs. Depends on EXCITITOR-AIAI-31-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) -EXCITITOR-AIAI-31-003 `Telemetry & guardrails` | IN REVIEW (2025-11-13) | Instrument the new evidence APIs with request counters, chunk sizes, signature verification failure meters, and AOC guard violations so Lens/Advisory AI teams can detect misuse quickly. Depends on EXCITITOR-AIAI-31-002. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService) -EXCITITOR-AIAI-31-004 `Schema & docs alignment` | TODO | Update OpenAPI/SDK/docs to codify the Advisory-AI evidence contract (fields, determinism guarantees, pagination) and describe how consumers map observation IDs back to raw storage. | Excititor WebService Guild, Docs Guild (src/Excititor/StellaOps.Excititor.WebService) -EXCITITOR-AIRGAP-56-001 `Mirror-first ingestion` | TODO | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core) -EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core) -EXCITITOR-AIRGAP-58-001 `Portable evidence bundles` | TODO | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core) -EXCITITOR-ATTEST-01-003 `Verification suite & observability` | TODO (2025-11-06) | Finish `IVexAttestationVerifier`, wire structured diagnostics/metrics, and prove we can verify DSSE bundles for every evidence batch without touching consensus results (see `EXCITITOR-ATTEST-01-003-plan.md`). | Excititor Attestation Guild (src/Excititor/__Libraries/StellaOps.Excititor.Attestation) -EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core) -EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core) -EXCITITOR-CONN-TRUST-01-001 `Connector provenance parity` | TODO | Update MSRC, Oracle, Ubuntu, and Stella mirror connectors to emit signer fingerprints, issuer tiers, and bundle references while remaining aggregation-only; document how Lens consumers should interpret these hints. | Excititor Connectors Guild (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*) - -## Task clusters & readiness - -### Advisory-AI evidence APIs -- **Delivered:** `EXCITITOR-AIAI-31-001` (`/v1/vex/observations/{vulnerabilityId}/{productKey}` projection API) landed 2025-11-12 with normalized justifications and anchors. -- **In flight:** `EXCITITOR-AIAI-31-003` (instrumentation + guardrails) and `EXCITITOR-AIAI-31-004` (OpenAPI/SDK/docs alignment). -- **Dependencies:** Needs `EXCITITOR-AIAI-31-002` (projection service plumbing) — confirmed completed via architecture doc; observability pipeline requires Ops dashboards. -- **Ready-to-start checklist:** finalize request/response examples in OpenAPI, add replayable telemetry fixtures, and attach Advisory-AI contract summary to this sprint doc. - -### AirGap ingestion & portable bundles -- **Scope:** `EXCITITOR-AIRGAP-56/57/58` (mirror-first ingestion, sealed-mode enforcement, portable evidence bundles). -- **Dependencies:** relies on Attestor DSSE verification (Sprint 100.A) and AirGap policy toggles; Evidence Locker partnership needed for portable bundle format. -- **Ready-to-start checklist:** - 1. Secure mirror bundle schema from Export Center (Sprint 162) and attach sample manifests. - 2. Document sealed-mode error catalog + diagnostics surfaced to Advisory AI/Lens during offline enforcement. - 3. Define bundle manifest → timeline ID mapping for Advisory AI, referencing Export Center + TimelineIndexer contracts. - -### Attestation & provenance chain -- **Tasks:** `EXCITITOR-ATTEST-01-003`, `EXCITITOR-ATTEST-73-001`, `EXCITITOR-ATTEST-73-002`. -- **Dependencies:** Attestor service readiness (Sprint 100.A) plus DSSE payload contract; requires `IVexAttestationVerifier` plan doc referenced in repo. -- **Ready-to-start checklist:** - 1. Finish verifier test harness & deterministic diagnostics. - 2. Capture sample attestation payload spec (supplier identity, justification summary, scope metadata) and attach here. - 3. Describe provenance linkage for `/v1/vex/attestations/{id}` + observation/linkset/product tuples in docs. - -### Connector provenance parity -- **Task:** `EXCITITOR-CONN-TRUST-01-001` (MSRC/Oracle/Ubuntu/Stella connectors). -- **Dependencies:** Source feeds must already emit signer metadata; align with AOC aggregator guardrails; ensure docs outline how Lens consumes trust hints. -- **Ready-to-start checklist:** - 1. Inventory current connector coverage + signer metadata availability. - 2. Define signer fingerprint + issuer tier schema shared across connectors (document in module README). - 3. Update acceptance tests under `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.*` to assert provenance payload. - -## Dependencies & blockers -- Attestor DSSE verification (`EXCITITOR-ATTEST-01-003`, Sprint 100.A) gates `EXCITITOR-ATTEST-73-001/002` and portable bundles. -- Export Center mirror bundle schema (Sprint 162) and EvidenceLocker portable bundle format (Sprint 160/161) must land before `EXCITITOR-AIRGAP-56/58` can proceed; target sync 2025-11-15. -- Observability stack (Ops/Signals wave) must expose span/metric sinks before `EXCITITOR-AIAI-31-003` instrumentation merges; waiting on Ops telemetry MR. -- Security review pending for connector provenance fingerprints to ensure no secrets leak in aggregation-only mode; Docs/Security review scheduled 2025-11-18. - -## Documentation references -- `docs/modules/excititor/architecture.md` — authoritative data model, APIs, and guardrails for Excititor. -- `docs/modules/excititor/README.md#latest-updates` — consensus beta + Advisory-AI integration context. -- `docs/modules/excititor/mirrors.md` — AirGap/mirror ingestion checklist referenced by `EXCITITOR-AIRGAP-56/57`. -- `docs/modules/excititor/operations/*` — observability + sealed-mode runbooks feeding `EXCITITOR-AIAI-31-003` instrumentation requirements. -- `docs/modules/excititor/implementation_plan.md` — per-module workstream alignment table (mirrors Sprint 200 documentation process). - -## Action tracker -| Focus | Action | Owner(s) | Due | Status | -| --- | --- | --- | --- | --- | -| Advisory-AI APIs | Publish finalized OpenAPI schema + SDK notes for projection API (`EXCITITOR-AIAI-31-004`). | Excititor WebService Guild · Docs Guild | 2025-11-15 | In review (draft shared 2025-11-13) | -| Observability | Wire metrics/traces for `/v1/vex/observations/**` and document dashboards (`EXCITITOR-AIAI-31-003`). | Excititor WebService Guild · Observability Guild | 2025-11-16 | Blocked (code + ops runbook ready; waiting on Ops span sink deploy) | -| AirGap | Capture mirror bundle schema + sealed-mode toggle requirements for `EXCITITOR-AIRGAP-56/57`. | Excititor Core Guild · AirGap Policy Guild | 2025-11-17 | Pending | -| Portable bundles | Draft bundle manifest + EvidenceLocker linkage notes for `EXCITITOR-AIRGAP-58-001`. | Excititor Core Guild · Evidence Locker Guild | 2025-11-18 | Pending | -| Attestation | Complete verifier suite + diagnostics for `EXCITITOR-ATTEST-01-003`. | Excititor Attestation Guild | 2025-11-16 | In progress (verifier harness 80% complete) | -| Connectors | Inventory signer metadata + plan rollout for MSRC/Oracle/Ubuntu/Stella connectors (`EXCITITOR-CONN-TRUST-01-001`). | Excititor Connectors Guild | 2025-11-19 | Pending (schema draft expected 2025-11-14) | - -## Upcoming checkpoints (UTC) -| Date | Session / Owner | Goal | Fallback | -| --- | --- | --- | --- | -| 2025-11-14 | Connector provenance schema review (Connectors + Security Guilds) | Approve signer fingerprint + issuer tier schema for `EXCITITOR-CONN-TRUST-01-001`. | If schema not ready, keep task blocked and request interim metadata list from connectors. | -| 2025-11-15 | Export Center mirror schema sync (Export Center + Excititor + AirGap) | Receive mirror bundle manifest to unblock `EXCITITOR-AIRGAP-56/57` (schema still pending). | If delayed, escalate to Sprint 162 leads and use placeholder spec with clearly marked TODO. | -| 2025-11-16 | Attestation verifier rehearsal (Excititor Attestation Guild) | Demo `IVexAttestationVerifier` harness + diagnostics to unblock `EXCITITOR-ATTEST-73-*`. | If issues persist, log BLOCKED status in attestation plan and re-forecast completion. | -| 2025-11-18 | Observability span sink deploy (Ops/Signals Guild) | Enable telemetry pipeline needed for `EXCITITOR-AIAI-31-003`. | If deploy slips, implement temporary counters/logs and keep action tracker flagged as blocked. | - -## Risks & mitigations -| Risk | Severity | Impact | Mitigation | -| --- | --- | --- | --- | -| Observability sinks not ready for `EXCITITOR-AIAI-31-003` | Medium | Advisory-AI misuse would go undetected | Coordinate with Ops to reuse Signals dashboards; ship log-only fallback. | -| Mirror bundle schema slips (Export Center/AirGap) | High | Blocks sealed-mode + portable bundles | Use placeholder schema from `docs/modules/export-center/architecture.md` and note deltas; escalate to Export Center leads. | -| Attestation verifier misses 2025-11-16 target | High | Attestation payload tasks cannot start | Daily stand-ups with Attestation Guild; parallelize diagnostics while verifier finalizes. | -| Connector signer metadata incomplete | Medium | Trust parity story delayed | Stage connector-specific TODOs; allow partial rollout with feature flags. | - -## Status log -- 2025-11-12 — Snapshot refreshed; EXCITITOR-AIAI-31-001 marked DONE, remaining tasks pending on observability, AirGap bundle schemas, and attestation verifier completion. -- 2025-11-13 — Added readiness checklists per task cluster plus action tracker; awaiting outcomes from Export Center mirror schema delivery and Attestor verifier rehearsals before flipping AirGap/Attestation tasks to DOING. -- 2025-11-13 (EOD) — OpenAPI draft for `EXCITITOR-AIAI-31-004` shared for review; Observability wiring blocked until Ops deploys span sink, noted above. -- 2025-11-14 — Connector provenance schema review scheduled; awaiting schema draft delivery before meeting. Export Center mirror schema still pending, keeping `EXCITITOR-AIRGAP-56/57` blocked. -- 2025-11-14 — `EXCITITOR-AIAI-31-003` instrumentation (request counters, chunk histogram, signature failure + guard-violation meters) merged into Excititor WebService; telemetry export remains blocked on Ops span sink rollout. -- 2025-11-14 (PM) — Published `docs/modules/excititor/operations/observability.md` documenting the new evidence metrics so Ops/Lens can hook dashboards while waiting for the span sink deployment. - -> 2025-11-12: EXCITITOR-AIAI-31-001 delivered `/v1/vex/observations/{vulnerabilityId}/{productKey}` backed by the new `IVexObservationProjectionService`, returning normalized statements (scope tree, anchors, document metadata) so Advisory AI and Console can cite raw VEX evidence without touching consensus logic. diff --git a/docs/implplan/SPRINT_120_policy_reasoning.md b/docs/implplan/SPRINT_120_policy_reasoning.md deleted file mode 100644 index fb5ce86f5..000000000 --- a/docs/implplan/SPRINT_120_policy_reasoning.md +++ /dev/null @@ -1,84 +0,0 @@ -# Sprint 120 - Policy & Reasoning - -_Last updated: November 8, 2025. Implementation order is DOING → TODO → BLOCKED._ - -Focus areas below were split out of the previous combined sprint; execute sections in order unless noted. - -## Findings.I -Dependency: Sprint 110.A - AdvisoryAI (must land before this track). -Focus: Policy & Reasoning focus on Findings (phase I). - -| # | Task ID & handle | State | Key dependency / next step | Owners | -| --- | --- | --- | --- | --- | -| 1 | LEDGER-29-007 | TODO | Instrument metrics (`ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`), structured logs, and Merkle anchoring alerts; publish dashboards (Deps: LEDGER-29-006) | Findings Ledger Guild, Observability Guild / src/Findings/StellaOps.Findings.Ledger | -| 2 | LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant (Deps: LEDGER-29-007) | Findings Ledger Guild, QA Guild / src/Findings/StellaOps.Findings.Ledger | -| 3 | LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions (Deps: LEDGER-29-008) | Findings Ledger Guild, DevOps Guild / src/Findings/StellaOps.Findings.Ledger | -| 4 | LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries (Deps: LEDGER-29-009) | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | -| 5 | LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | -| 6 | LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging (Deps: LEDGER-AIRGAP-56-001) | Findings Ledger Guild, AirGap Time Guild / src/Findings/StellaOps.Findings.Ledger | -| 7 | LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works (Deps: LEDGER-AIRGAP-56-002) | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | -| 8 | LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context (Deps: LEDGER-AIRGAP-57-001) | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | -| 9 | LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | - -## Findings.I scope & goals -- Deliver ledger observability baselines (`LEDGER-29-007/008/009`) so Policy teams can trust ingestion, anchoring, and replay at >5 M findings/tenant. -- Extend ledger provenance to cover orchestrator jobs, air-gapped bundle imports, and attestation evidence (`LEDGER-34-101`, `LEDGER-AIRGAP-*`, `LEDGER-ATTEST-73-001`). -- Ship deployment collateral (Helm/Compose, backup/restore, offline kit) and documentation so downstream guilds can adopt without bespoke guidance. - -### Entry criteria -- Sprint 110.A AdvisoryAI deliverables must be complete (raw findings parity, provenance contracts). -- Observability Guild approves metric names/labels for `ledger_*` series. -- Mirror bundle schemas (AirGap kits) published so `LEDGER-AIRGAP-*` tasks can reference stable fields. - -### Exit criteria -- Metrics/logs/dashboards live in ops telemetry packs with alert wiring. -- Determinism/load harness produces signed report for 5 M findings/tenant scenario. -- Deployment manifests + offline kit instructions reviewed by DevOps/AirGap guilds. -- Ledger records referential pointers to orchestrator runs, bundle provenance, and attestation envelopes. - -## Task clusters & owners - -| Cluster | Linked tasks | Owners | Status snapshot | Notes | -| --- | --- | --- | --- | --- | -| Observability & diagnostics | LEDGER-29-007/008 | Findings Ledger Guild · Observability Guild · QA Guild | TODO | Metric/log spec captured in `docs/modules/findings-ledger/observability.md`; determinism harness spec added in `docs/modules/findings-ledger/replay-harness.md`; sequencing captured in `docs/modules/findings-ledger/implementation_plan.md`; awaiting Observability sign-off + Grafana JSON export (target 2025-11-15). | -| Deployment & backup | LEDGER-29-009 | Findings Ledger Guild · DevOps Guild | TODO | Baseline deployment/backup guide published (`docs/modules/findings-ledger/deployment.md`); need to align Compose/Helm overlays + automate migrations. | -| Orchestrator provenance | LEDGER-34-101 | Findings Ledger Guild | TODO | Blocked until Orchestrator exports job ledger payload; coordinate with Sprint 150.A. | -| Air-gap provenance & staleness | LEDGER-AIRGAP-56/57/58 series | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | TODO | Requirements captured in `docs/modules/findings-ledger/airgap-provenance.md`; blocked on mirror bundle schema freeze + AirGap controller inputs. | -| Attestation linkage | LEDGER-ATTEST-73-001 | Findings Ledger Guild · Attestor Service Guild | TODO | Waiting on attestation payload pointers from NOTIFY-ATTEST-74-001 work to reuse DSSE IDs. | - -## Milestones & dependencies - -| Target date | Milestone | Dependency / owner | Notes | -| --- | --- | --- | --- | -| 2025-11-15 | Metrics + dashboard schema sign-off | Observability Guild | Unblocks LEDGER-29-007 instrumentation PR. | -| 2025-11-18 | Determinism + replay harness dry-run at 5 M findings | QA Guild | Required before LEDGER-29-008 can close. | -| 2025-11-20 | Helm/Compose manifests + backup doc review | DevOps Guild · AirGap Controller Guild | Needed for LEDGER-29-009 + LEDGER-AIRGAP-56-001. | -| 2025-11-22 | Mirror bundle provenance schema freeze | AirGap Time Guild | Enables LEDGER-AIRGAP-56/57/58 sequencing. | -| 2025-11-25 | Orchestrator ledger export contract signed | Orchestrator Guild | Prereq for LEDGER-34-101 linkage. | - -## Risks & mitigations -- **Metric churn** — Observability schema changes could slip schedule. Mitigation: lock metric names by Nov 15 and document in `docs/observability/policy.md`. -- **Replay workload** — 5 M findings load tests may exceed lab capacity. Mitigation: leverage existing QA replay rig, capture CPU/memory budgets for runbooks. -- **Air-gap drift** — Mirror bundle format still moving. Mitigation: version provenance schema, gate LEDGER-AIRGAP-* merge until doc + manifest updates reviewed. -- **Cross-guild lag** — Orchestrator/Attestor dependencies may delay provenance pointers. Mitigation: weekly sync notes in sprint log; add feature flags so ledger work can merge behind toggles. - -## External dependency tracker - -| Dependency | Current state (2025-11-13) | Impact | -| --- | --- | --- | -| Sprint 110.A AdvisoryAI | DONE | Enables Findings.I start; monitor regressions. | -| Observability metric schema | IN REVIEW | Blocks LEDGER-29-007/008 dashboards. | -| Orchestrator job export contract | TODO | Required for LEDGER-34-101; tracked in Sprint 150.A wave table. | -| Mirror bundle schema | DRAFT | Needed for LEDGER-AIRGAP-56/57/58 messaging + manifests. | -| Attestation pointer schema | DRAFT | Needs alignment with NOTIFY-ATTEST-74-001 to reuse DSSE IDs. | - -## Coordination log - -| Date (UTC) | Update | Owner | -| --- | --- | --- | -| 2025-11-13 09:30 | Documented Findings.I scope, milestones, and external dependencies; awaiting Observability + Orchestrator inputs before flipping any tasks to DOING. | Findings Ledger Guild | -| 2025-11-13 10:45 | Published `docs/modules/findings-ledger/observability.md` detailing metrics/logs/alerts required for LEDGER-29-007/008; sent draft to Observability Guild for review. | Findings Ledger Guild | -| 2025-11-13 11:20 | Added `docs/modules/findings-ledger/deployment.md` covering Compose/Helm rollout, migrations, backup/restore, and offline workflows for LEDGER-29-009. | Findings Ledger Guild | -| 2025-11-13 11:50 | Added `docs/modules/findings-ledger/replay-harness.md` outlining fixtures, CLI workflow, and reporting for LEDGER-29-008 determinism tests. | Findings Ledger Guild | -| 2025-11-13 12:05 | Drafted `docs/modules/findings-ledger/implementation_plan.md` summarizing phase sequencing and dependencies for Findings.I. | Findings Ledger Guild | -| 2025-11-13 12:25 | Authored `docs/modules/findings-ledger/airgap-provenance.md` detailing bundle provenance, staleness, evidence snapshot, and timeline requirements for LEDGER-AIRGAP-56/57/58. | Findings Ledger Guild | diff --git a/docs/implplan/SPRINT_186_record_deterministic_execution.md b/docs/implplan/SPRINT_186_record_deterministic_execution.md index 45ce37f7f..083d1c433 100644 --- a/docs/implplan/SPRINT_186_record_deterministic_execution.md +++ b/docs/implplan/SPRINT_186_record_deterministic_execution.md @@ -18,6 +18,9 @@ SCAN-DETER-186-009 | TODO | Build a determinism harness that replays N scans per SCAN-DETER-186-010 | TODO | Emit and publish `determinism.json` (scores, artifact hashes, non-identical diffs) alongside each scanner release via CAS/object storage APIs (documented in `docs/modules/scanner/determinism-score.md`). | Scanner Guild, Export Center Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/operations/release.md`) SCAN-ENTROPY-186-011 | TODO | Implement entropy analysis for ELF/PE/Mach-O executables and large opaque blobs (sliding-window metrics, section heuristics), flagging high-entropy regions and recording offsets/hints (see `docs/modules/scanner/entropy.md`). | Scanner Guild (`src/Scanner/StellaOps.Scanner.Worker`, `src/Scanner/__Libraries`) SCAN-ENTROPY-186-012 | TODO | Generate `entropy.report.json` and image-level penalties, attach evidence to scan manifests/attestations, and expose opaque ratios for downstream policy engines (`docs/modules/scanner/entropy.md`). | Scanner Guild, Provenance Guild (`src/Scanner/StellaOps.Scanner.WebService`, `docs/replay/DETERMINISTIC_REPLAY.md`) +SCAN-CACHE-186-013 | TODO | Implement layer-level SBOM/VEX cache keyed by (layer digest + manifest hash + tool/feed/policy IDs); re-verify DSSE attestations on cache hits and persist indexes for reuse/diagnostics; document in `docs/modules/scanner/architecture.md` referencing the 16-Nov-2026 layer cache advisory. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`) +SCAN-DIFF-CLI-186-014 | TODO | Add deterministic diff-aware rescan workflow (writes `scan.lock.json`, emits JSON Patch diffs, CLI verbs `stella scan --emit-diff` and `stella diff`) with replayable tests and docs aligned to the 15/16-Nov diff-aware advisories. | Scanner Guild · CLI Guild (`src/Scanner/StellaOps.Scanner.WebService`, `src/Cli/StellaOps.Cli`, `tests/Scanner`, `docs/modules/scanner/operations/release.md`) +SBOM-BRIDGE-186-015 | TODO | Establish SPDX 3.0.1 as canonical SBOM persistence and build a deterministic CycloneDX 1.6 exporter (mapping table + library); update scanner/SBOM docs and wire snapshot hashes into replay manifests. | Sbomer Guild · Scanner Guild (`src/Sbomer`, `src/Scanner/StellaOps.Scanner.WebService`, `docs/modules/scanner/architecture.md`) DOCS-REPLAY-186-004 | TODO | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade) and link it from both replay docs and Scanner architecture pages. | Docs Guild (`docs`) > 2025-11-03: `docs/replay/TEST_STRATEGY.md` drafted — Scanner/Signer guilds should shift replay tasks to **DOING** when engineering picks up implementation. diff --git a/docs/implplan/SPRINT_187_evidence_locker_cli_integration.md b/docs/implplan/SPRINT_187_evidence_locker_cli_integration.md index 10d693cb2..532694f07 100644 --- a/docs/implplan/SPRINT_187_evidence_locker_cli_integration.md +++ b/docs/implplan/SPRINT_187_evidence_locker_cli_integration.md @@ -10,6 +10,7 @@ EVID-REPLAY-187-001 | TODO | Implement replay bundle ingestion/retention APIs in CLI-REPLAY-187-002 | TODO | Add `scan --record`, `verify`, `replay`, `diff` commands to the CLI with offline bundle resolution; update `docs/modules/cli/architecture.md` and add a replay commands appendix citing `docs/replay/DEVS_GUIDE_REPLAY.md`. | DevEx/CLI Guild (`src/Cli/StellaOps.Cli`, `docs/modules/cli/architecture.md`) ATTEST-REPLAY-187-003 | TODO | Wire Attestor/Rekor anchoring for replay manifests and capture verification APIs; extend `docs/modules/attestor/architecture.md` with a replay ledger flow referencing `docs/replay/DETERMINISTIC_REPLAY.md` Section 9. | Attestor Guild (`src/Attestor/StellaOps.Attestor`, `docs/modules/attestor/architecture.md`) RUNBOOK-REPLAY-187-004 | TODO | Publish `/docs/runbooks/replay_ops.md` covering retention enforcement, RootPack rotation, offline kits, and verification drills; cross-link from replay specification summary. | Docs Guild, Ops Guild (`docs`) +VALIDATE-BUNDLE-187-005 | TODO | Deliver `VALIDATION_PLAN.md`, harness scripts (A/B quiet vs baseline, provenance bundle export), and a `stella bundle verify` CLI subcommand that checks DSSE/Rekor/SBOM/policy/replay claims end-to-end for offline audits. | QA Guild · CLI Guild · Docs Guild (`docs/validation`, `scripts/validation`, `src/Cli/StellaOps.Cli`) EVID-CRYPTO-90-001 | TODO | Route Evidence Locker hashing/signing (manifest digests, DSSE assembly, bundle encryption) through `ICryptoProviderRegistry`/`ICryptoHash` so sovereign profiles (e.g., `ru-offline`) can swap providers per `docs/security/crypto-routing-audit-2025-11-07.md`. | Evidence Locker Guild, Security Guild (`src/EvidenceLocker/StellaOps.EvidenceLocker`) > 2025-11-03: `/docs/runbooks/replay_ops.md` created — Evidence Locker, CLI, Attestor teams can transition replay delivery tasks to **DOING** alongside Ops runbook rehearsals. diff --git a/docs/implplan/SPRINT_401_reachability_evidence_chain.md b/docs/implplan/SPRINT_401_reachability_evidence_chain.md index 31dc920e9..52b0a62e3 100644 --- a/docs/implplan/SPRINT_401_reachability_evidence_chain.md +++ b/docs/implplan/SPRINT_401_reachability_evidence_chain.md @@ -55,5 +55,8 @@ _Theme:_ Finish the provable reachability pipeline (graph CAS → replay → DSS | PROV-INLINE-401-028 | DONE | Extend Authority/Feedser event writers to attach inline DSSE + Rekor references on every SBOM/VEX/scan event using `StellaOps.Provenance.Mongo`. | Authority Guild · Feedser Guild (`docs/provenance/inline-dsse.md`, `src/__Libraries/StellaOps.Provenance.Mongo`) | | PROV-BACKFILL-401-029 | DOING | Backfill historical Mongo events with DSSE/Rekor metadata by resolving known attestations per subject digest (wiring ingestion helpers + endpoint tests in progress). | Platform Guild (`docs/provenance/inline-dsse.md`, `scripts/publish_attestation_with_provenance.sh`) | | PROV-INDEX-401-030 | TODO | Deploy provenance indexes (`events_by_subject_kind_provenance`, etc.) and expose compliance/replay queries. | Platform Guild · Ops Guild (`docs/provenance/inline-dsse.md`, `ops/mongo/indices/events_provenance_indices.js`) | +| QA-CORPUS-401-031 | TODO | Build and publish the multi-runtime reachability corpus (Go/.NET/Python/Rust) with EXPECT.yaml ground truths and captured traces; wire fixtures into CI so reachability scoring and VEX proofs are continuously validated. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/DELIVERY_GUIDE.md`) | +| UI-VEX-401-032 | TODO | Add UI/CLI “Explain/Verify” surfaces on VEX decisions (show call paths, runtime hits, attestation verify button) and align with reachability evidence output. | UI Guild · CLI Guild · Scanner Guild (`src/UI/StellaOps.UI`, `src/Cli/StellaOps.Cli`, `docs/reachability/function-level-evidence.md`) | +| POLICY-GATE-401-033 | TODO | Enforce policy gate requiring reachability evidence for `not_affected`/`unreachable` VEX outcomes; fall back to “under review” when symbol confidence is low; update policy docs and tests. | Policy Guild · Scanner Guild (`src/Policy/StellaOps.Policy.Engine`, `docs/policy/dsl.md`, `docs/modules/scanner/architecture.md`) | > Use `docs/reachability/DELIVERY_GUIDE.md` for architecture context, dependencies, and acceptance tests. diff --git a/docs/implplan/archived/all-tasks.md b/docs/implplan/archived/all-tasks.md new file mode 100644 index 000000000..d0fc71153 --- /dev/null +++ b/docs/implplan/archived/all-tasks.md @@ -0,0 +1,1595 @@ +# Archived Implementation Index + +Consolidated task ledger for everything under `docs/implplan/archived/` (sprints, task ledgers, and update notes) in a common table. + +| Source | Section | Task ID | State | Description | Owners | Depends / Notes | Last Updated | +| --- | --- | --- | --- | --- | --- | --- | --- | +| docs/implplan/archived/updates/tasks.md | --- — --- | --- | --- | --- | --- | Path: --- | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDMODELS-SCHEMA-01-001 | DONE (2025-10-12) | SemVer primitive range-style metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md. This task lays the groundwork—complete the SemVer helper updates before teammates pick up FEEDMODELS-SCHEMA-01-002/003 and FEEDMODELS-SCHEMA-02-900. Use ./src/FASTER_MODELING_AND_NORMALIZATION.md for the target rule structure. | Team Models & Merge Leads | Path: src/Concelier/__Libraries/StellaOps.Concelier.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDMODELS-SCHEMA-01-002 | DONE (2025-10-11) | Provenance decision rationale field
Instructions to work:
AdvisoryProvenance now carries `decisionReason` and docs/tests were updated. Connectors and merge tasks should populate the field when applying precedence/freshness/tie-breaker logic; see src/Concelier/__Libraries/StellaOps.Concelier.Models/PROVENANCE_GUIDELINES.md for usage guidance. | Team Models & Merge Leads | Path: src/Concelier/__Libraries/StellaOps.Concelier.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDMODELS-SCHEMA-01-003 | DONE (2025-10-11) | Normalized version rules collection
Instructions to work:
`AffectedPackage.NormalizedVersions` and supporting comparer/docs/tests shipped. Connector owners must emit rule arrays per ./src/FASTER_MODELING_AND_NORMALIZATION.md and report progress via FEEDMERGE-COORD-02-900 so merge/storage backfills can proceed. | Team Models & Merge Leads | Path: src/Concelier/__Libraries/StellaOps.Concelier.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDMODELS-SCHEMA-02-900 | DONE (2025-10-12) | Range primitives for SemVer/EVR/NEVRA metadata
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md before resuming this stalled effort. Confirm helpers align with the new `NormalizedVersions` representation so connectors finishing in Sprint 2 can emit consistent metadata. | Team Models & Merge Leads | Path: src/Concelier/__Libraries/StellaOps.Concelier.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDNORM-NORM-02-001 | DONE (2025-10-11) | SemVer normalized rule emitter
Shared `SemVerRangeRuleBuilder` now outputs primitives + normalized rules per `FASTER_MODELING_AND_NORMALIZATION.md`; CVE/GHSA connectors consuming the API have verified fixtures. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Normalization | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDSTORAGE-DATA-02-001 | DONE (2025-10-11) | Normalized range dual-write + backfill
AdvisoryStore dual-writes flattened `normalizedVersions` when `concelier.storage.enableSemVerStyle` is set; migration `20251011-semver-style-backfill` updates historical records and docs outline the rollout. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDSTORAGE-DATA-02-002 | DONE (2025-10-11) | Provenance decision reason persistence
Storage now persists `provenance.decisionReason` for advisories and merge events; tests cover round-trips. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDSTORAGE-DATA-02-003 | DONE (2025-10-11) | Normalized versions indexing
Bootstrapper seeds compound/sparse indexes for flattened normalized rules and `docs/dev/mongo_indices.md` documents query guidance. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDSTORAGE-TESTS-02-004 | DONE (2025-10-11) | Restore AdvisoryStore build after normalized versions refactor
Updated constructors/tests keep storage suites passing with the new feature flag defaults. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-ENGINE-01-002 | DONE (2025-10-12) | Plumb Authority client resilience options
WebService wires `authority.resilience.*` into `AddStellaOpsAuthClient` and adds binding coverage via `AuthorityClientResilienceOptionsAreBound`. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-003 | DONE (2025-10-12) | Author ops guidance for resilience tuning
Install/runbooks document connected vs air-gapped resilience profiles and monitoring hooks. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-004 | DONE (2025-10-12) | Document authority bypass logging patterns
Operator guides now call out `route/status/subject/clientId/scopes/bypass/remote` audit fields and SIEM triggers. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-005 | DONE (2025-10-12) | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and links audit signals to the rollout checklist. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | SEC3.HOST | DONE (2025-10-11) | Rate limiter policy binding
Authority host now applies configuration-driven fixed windows to `/token`, `/authorize`, and `/internal/*`; integration tests assert 429 + `Retry-After` headers; docs/config samples refreshed for Docs guild diagrams. | Team WebService & Authority | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | SEC3.BUILD | DONE (2025-10-11) | Authority rate-limiter follow-through
`Security.RateLimiting` now fronts token/authorize/internal limiters; Authority + Configuration matrices (`dotnet test src/Authority/StellaOps.Authority/StellaOps.Authority.sln`, `dotnet test src/__Libraries/__Tests/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj`) passed on 2025-10-11; awaiting #authority-core broadcast. | Team WebService & Authority | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | AUTHCORE-BUILD-OPENIDDICT / AUTHCORE-STORAGE-DEVICE-TOKENS / AUTHCORE-BOOTSTRAP-INVITES | DONE (2025-10-14) | Address remaining Authority compile blockers (OpenIddict transaction shim, token device document, bootstrap invite cleanup) so `dotnet build src/Authority/StellaOps.Authority/StellaOps.Authority.sln` returns success. | Team Authority Platform & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | PLG6.DOC | DONE (2025-10-11) | Plugin developer guide polish
Section 9 now documents rate limiter metadata, config keys, and lockout interplay; YAML samples updated alongside Authority config templates. | Team WebService & Authority | Path: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-001 | DONE (2025-10-11) | Fetch pipeline & state tracking
Summary planner now drives monthly/yearly VINCE fetches, persists pending summaries/notes, and hydrates VINCE detail queue with telemetry.
Team instructions: Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/AGENTS.md. Coordinate daily with Models/Merge leads so new normalizedVersions output and provenance tags stay aligned with ./src/FASTER_MODELING_AND_NORMALIZATION.md. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-002 | DONE (2025-10-11) | VINCE note detail fetcher
Summary planner queues VINCE note detail endpoints, persists raw JSON with SHA/ETag metadata, and records retry/backoff metrics. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-003 | DONE (2025-10-11) | DTO & parser implementation
Added VINCE DTO aggregate, Markdown→text sanitizer, vendor/status/vulnerability parsers, and parser regression fixture. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-004 | DONE (2025-10-11) | Canonical mapping & range primitives
VINCE DTO aggregate flows through `CertCcMapper`, emitting vendor range primitives + normalized version rules that persist via `_advisoryStore`. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-005 | DONE (2025-10-12) | Deterministic fixtures/tests
Snapshot harness refreshed 2025-10-12; `certcc-*.snapshot.json` regenerated and regression suite green without UPDATE flag drift. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-006 | DONE (2025-10-12) | Telemetry & documentation
`CertCcDiagnostics` publishes summary/detail/parse/map metrics (meter `StellaOps.Concelier.Connector.CertCc`), README documents instruments, and log guidance captured for Ops on 2025-10-12. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-007 | DONE (2025-10-12) | Connector test harness remediation
Harness now wires `AddSourceCommon`, resets `FakeTimeProvider`, and passes canned-response regression run dated 2025-10-12. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-008 | DONE (2025-10-11) | Snapshot coverage handoff
Fixtures regenerated with normalized ranges + provenance fields on 2025-10-11; QA handoff notes published and merge backfill unblocked. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-012 | DONE (2025-10-12) | Schema sync & snapshot regen follow-up
Fixtures regenerated with normalizedVersions + provenance decision reasons; handoff notes updated for Merge backfill 2025-10-12. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-009 | DONE (2025-10-11) | Detail/map reintegration plan
Staged reintegration plan published in `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc/FEEDCONN-CERTCC-02-009_PLAN.md`; coordinates enablement with FEEDCONN-CERTCC-02-004. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CERTCC-02-010 | DONE (2025-10-12) | Partial-detail graceful degradation
Detail fetch now tolerates 404/403/410 responses and regression tests cover mixed endpoint availability. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertCc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-REDHAT-02-001 | DONE (2025-10-11) | Fixture validation sweep
Instructions to work:
Fixtures regenerated post-model-helper rollout; provenance ordering and normalizedVersions scaffolding verified via tests. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. | Team Connector Resumption – CERT/RedHat | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-APPLE-02-001 | DONE (2025-10-12) | Canonical mapping & range primitives
Mapper emits SemVer rules (`scheme=apple:*`); fixtures regenerated with trimmed references + new RSR coverage, update tooling finalized. | Team Vendor Apple Specialists | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-APPLE-02-002 | DONE (2025-10-11) | Deterministic fixtures/tests
Sanitized live fixtures + regression snapshots wired into tests; normalized rule coverage asserted. | Team Vendor Apple Specialists | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-APPLE-02-003 | DONE (2025-10-11) | Telemetry & documentation
Apple meter metrics wired into Concelier WebService OpenTelemetry configuration; README and fixtures document normalizedVersions coverage. | Team Vendor Apple Specialists | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-APPLE-02-004 | DONE (2025-10-12) | Live HTML regression sweep
Sanitised HT125326/HT125328/HT106355/HT214108/HT215500 fixtures recorded and regression tests green on 2025-10-12. | Team Vendor Apple Specialists | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-APPLE-02-005 | DONE (2025-10-11) | Fixture regeneration tooling
`UPDATE_APPLE_FIXTURES=1` flow fetches & rewrites fixtures; README documents usage.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md. Resume stalled tasks, ensuring normalizedVersions output and fixtures align with ./src/FASTER_MODELING_AND_NORMALIZATION.md before handing data to the conflict sprint. | Team Vendor Apple Specialists | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Apple | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-GHSA-02-001 | DONE (2025-10-12) | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `src/Tools/FixtureUpdater` updates across connectors. | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-OSV-02-003 | DONE (2025-10-12) | OSV normalized versions & freshness | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-NVD-02-002 | DONE (2025-10-12) | NVD normalized versions & timestamps | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-CVE-02-003 | DONE (2025-10-12) | CVE normalized versions uplift | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-KEV-02-003 | DONE (2025-10-12) | KEV normalized versions propagation | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-OSV-04-003 | DONE (2025-10-12) | OSV parity fixture refresh | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-001 | DONE (2025-10-10) | Document authority toggle & scope requirements
Quickstart carries toggle/scope guidance pending docs guild review (no change this sprint). | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-003 | DONE (2025-10-12) | Author ops guidance for resilience tuning
Operator docs now outline connected vs air-gapped resilience profiles and monitoring cues. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-004 | DONE (2025-10-12) | Document authority bypass logging patterns
Audit logging guidance highlights `route/status/subject/clientId/scopes/bypass/remote` fields and SIEM alerts. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-DOCS-01-005 | DONE (2025-10-12) | Update Concelier operator guide for enforcement cutoff
Install guide reiterates the 2025-12-31 cutoff and ties audit signals to rollout checks. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-OPS-01-006 | DONE (2025-10-11) | Rename plugin drop directory to namespaced path
Build outputs, tests, and docs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-OPS-01-007 | DONE (2025-10-11) | Authority resilience adoption
Deployment docs and CLI notes explain the LIB5 resilience knobs for rollout.
Instructions to work:
DONE Read ./AGENTS.md and src/Concelier/StellaOps.Concelier.WebService/AGENTS.md. These items were mid-flight; resume implementation ensuring docs/operators receive timely updates. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | AUTHCORE-ENGINE-01-001 | DONE (2025-10-11) | CORE8.RL — Rate limiter plumbing validated; integration tests green and docs handoff recorded for middleware ordering + Retry-After headers (see `docs/dev/authority-rate-limit-tuning-outline.md` for continuing guidance). | Team Authority Platform & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | AUTHCRYPTO-ENGINE-01-001 | DONE (2025-10-11) | SEC3.A — Shared metadata resolver confirmed via host test run; SEC3.B now unblocked for tuning guidance (outline captured in `docs/dev/authority-rate-limit-tuning-outline.md`). | Team Authority Platform & Security Guild | Path: src/__Libraries/StellaOps.Cryptography | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | AUTHSEC-DOCS-01-002 | DONE (2025-10-13) | SEC3.B — Published `docs/security/rate-limits.md` with tuning matrix, alert thresholds, and lockout interplay guidance; Docs guild can lift copy into plugin guide. | Team Authority Platform & Security Guild | Path: src/__Libraries/StellaOps.Cryptography | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | AUTHSEC-CRYPTO-02-001 | DONE (2025-10-14) | SEC5.B1 — Introduce libsodium signing provider and parity tests to unblock CLI verification enhancements. | Team Authority Platform & Security Guild | Path: src/__Libraries/StellaOps.Cryptography | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Bootstrap & Replay Hardening | AUTHSEC-CRYPTO-02-004 | DONE (2025-10-14) | SEC5.D/E — Finish bootstrap invite lifecycle (API/store/cleanup) and token device heuristics; build currently red due to pending handler integration. | Security Guild | Path: src/__Libraries/StellaOps.Cryptography | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Developer Tooling | AUTHCLI-DIAG-01-001 | DONE (2025-10-15) | Surface password policy diagnostics in CLI startup/output so operators see weakened overrides immediately.
CLI now loads Authority plug-ins at startup, logs weakened password policies (length/complexity), and regression coverage lives in `StellaOps.Cli.Tests/Services/AuthorityDiagnosticsReporterTests`. | DevEx/CLI | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | AUTHPLUG-DOCS-01-001 | DONE (2025-10-11) | PLG6.DOC — Developer guide copy + diagrams merged 2025-10-11; limiter guidance incorporated and handed to Docs guild for asset export. | Team Authority Platform & Security Guild | Path: src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDNORM-NORM-02-001 | DONE (2025-10-12) | SemVer normalized rule emitter
`SemVerRangeRuleBuilder` shipped 2025-10-12 with comparator/` | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Normalization | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDSTORAGE-DATA-02-001 | DONE (2025-10-11) | Normalized range dual-write + backfill | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDSTORAGE-DATA-02-002 | DONE (2025-10-11) | Provenance decision reason persistence | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDSTORAGE-DATA-02-003 | DONE (2025-10-11) | Normalized versions indexing
Indexes seeded + docs updated 2025-10-11 to cover flattened normalized rules for connector adoption. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDMERGE-ENGINE-02-002 | DONE (2025-10-11) | Normalized versions union & dedupe
Affected package resolver unions/dedupes normalized rules, stamps merge provenance with `decisionReason`, and tests cover the rollout. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-GHSA-02-001 | DONE (2025-10-11) | GHSA normalized versions & provenance | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-GHSA-02-004 | DONE (2025-10-11) | GHSA credits & ecosystem severity mapping | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-GHSA-02-005 | DONE (2025-10-12) | GitHub quota monitoring & retries | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-GHSA-02-006 | DONE (2025-10-12) | Production credential & scheduler rollout | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-GHSA-02-007 | DONE (2025-10-12) | Credit parity regression fixtures | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-NVD-02-002 | DONE (2025-10-11) | NVD normalized versions & timestamps | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-NVD-02-004 | DONE (2025-10-11) | NVD CVSS & CWE precedence payloads | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-NVD-02-005 | DONE (2025-10-12) | NVD merge/export parity regression | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-OSV-02-003 | DONE (2025-10-11) | OSV normalized versions & freshness | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-OSV-02-004 | DONE (2025-10-11) | OSV references & credits alignment | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-OSV-02-005 | DONE (2025-10-12) | Fixture updater workflow
Resolved 2025-10-12: OSV mapper now derives canonical PURLs for Go + scoped npm packages when raw payloads omit `purl`; conflict fixtures unchanged for invalid npm names. Verified via `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv.Tests`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa.Tests`, `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd.Tests`, and backbone normalization/storage suites. | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-ACSC-02-001 … 02-008 | DONE (2025-10-12) | Fetch→parse→map pipeline, fixtures, diagnostics, and README finished 2025-10-12; downstream export parity captured via FEEDEXPORT-JSON-04-001 / FEEDEXPORT-TRIVY-04-001 (completed). | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Acsc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-CCCS-02-001 … 02-008 | DONE (2025-10-16) | Observability meter, historical harvest plan, and DOM sanitizer refinements wrapped; ops notes live under `docs/modules/concelier/operations/connectors/cccs.md` with fixtures validating EN/FR list handling. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cccs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-CERTBUND-02-001 … 02-008 | DONE (2025-10-15) | Telemetry/docs (02-006) and history/locale sweep (02-007) completed alongside pipeline; runbook `docs/modules/concelier/operations/connectors/certbund.md` captures locale guidance and offline packaging. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.CertBund | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-KISA-02-001 … 02-007 | DONE (2025-10-14) | Connector, tests, and telemetry/docs (02-006) finalized; localisation notes in `docs/dev/kisa_connector_notes.md` complete rollout. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kisa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-RUBDU-02-001 … 02-008 | DONE (2025-10-14) | Fetch/parser/mapper refinements, regression fixtures, telemetry/docs, access options, and trusted root packaging all landed; README documents offline access strategy. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Bdu | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-NKCKI-02-001 … 02-008 | DONE (2025-10-13) | Listing fetch, parser, mapper, fixtures, telemetry/docs, and archive plan finished; Mongo2Go/libcrypto dependency resolved via bundled OpenSSL noted in ops guide. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ru.Nkcki | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-ICSCISA-02-001 … 02-011 | DONE (2025-10-16) | Feed parser attachment fixes, SemVer exact values, regression suites, telemetry/docs updates, and handover complete; ops runbook now details attachment verification + proxy usage. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ics.Cisa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-CISCO-02-001 … 02-007 | DONE (2025-10-14) | OAuth fetch pipeline, DTO/mapping, tests, and telemetry/docs shipped; monitoring/export integration follow-ups recorded in Ops docs and exporter backlog (completed). | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Cisco | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-MSRC-02-001 … 02-008 | DONE (2025-10-15) | Azure AD onboarding (02-008) unblocked fetch/parse/map pipeline; fixtures, telemetry/docs, and Offline Kit guidance published in `docs/modules/concelier/operations/connectors/msrc.md`. | Team Connector Expansion – Regional & Vendor Feeds | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Vndr.Msrc | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-CVE-02-001 … 02-002 | DONE (2025-10-15) | CVE data-source selection, fetch pipeline, and docs landed 2025-10-10. 2025-10-15: smoke verified using the seeded mirror fallback; connector now logs a warning and pulls from `seed-data/cve/` until live CVE Services credentials arrive. | Team Connector Support & Monitoring | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Cve | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDCONN-KEV-02-001 … 02-002 | DONE (2025-10-12) | KEV catalog ingestion, fixtures, telemetry, and schema validation completed 2025-10-12; ops dashboard published. | Team Connector Support & Monitoring | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Kev | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDDOCS-DOCS-01-001 | DONE (2025-10-11) | Canonical schema docs refresh
Updated canonical schema + provenance guides with SemVer style, normalized version rules, decision reason change log, and migration notes. | Team Docs & Knowledge Base | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDDOCS-DOCS-02-001 | DONE (2025-10-11) | Concelier-SemVer Playbook
Published merge playbook covering mapper patterns, dedupe flow, indexes, and rollout checklist. | Team Docs & Knowledge Base | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 2 — Connector & Data Implementation Wave | FEEDDOCS-DOCS-02-002 | DONE (2025-10-11) | Normalized versions query guide
Delivered Mongo index/query addendum with `$unwind` recipes, dedupe checks, and operational checklist.
Instructions to work:
DONE Read ./AGENTS.md and docs/AGENTS.md. Document every schema/index/query change produced in Sprint 1-2 leveraging ./src/FASTER_MODELING_AND_NORMALIZATION.md. | Team Docs & Knowledge Base | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDCORE-ENGINE-03-001 | DONE (2025-10-11) | Canonical merger implementation
`CanonicalMerger` ships with freshness/tie-breaker logic, provenance, and unit coverage feeding Merge. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDCORE-ENGINE-03-002 | DONE (2025-10-11) | Field precedence and tie-breaker map
Field precedence tables and tie-breaker metrics wired into the canonical merge flow; docs/tests updated.
Instructions to work:
Read ./AGENTS.md and core AGENTS. Implement the conflict resolver exactly as specified in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md, coordinating with Merge and Storage teammates. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDSTORAGE-DATA-03-001 | DONE (2025-10-11) | Merge event provenance audit prep
Merge events now persist `fieldDecisions` and analytics-ready provenance snapshots. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDSTORAGE-DATA-02-001 | DONE (2025-10-11) | Normalized range dual-write + backfill
Dual-write/backfill flag delivered; migration + options validated in tests. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDSTORAGE-TESTS-02-004 | DONE (2025-10-11) | Restore AdvisoryStore build after normalized versions refactor
Storage tests adjusted for normalized versions/decision reasons.
Instructions to work:
Read ./AGENTS.md and storage AGENTS. Extend merge events with decision reasons and analytics views to support the conflict rules, and deliver the dual-write/backfill for `NormalizedVersions` + `decisionReason` so connectors can roll out safely. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDMERGE-ENGINE-04-001 | DONE (2025-10-11) | GHSA/NVD/OSV conflict rules
Merge pipeline consumes `CanonicalMerger` output prior to precedence merge. | Team Merge & QA Enforcement | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDMERGE-ENGINE-04-002 | DONE (2025-10-11) | Override metrics instrumentation
Merge events capture per-field decisions; counters/logs align with conflict rules. | Team Merge & QA Enforcement | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDMERGE-ENGINE-04-003 | DONE (2025-10-11) | Reference & credit union pipeline
Canonical merge preserves unions with updated tests. | Team Merge & QA Enforcement | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDMERGE-QA-04-001 | DONE (2025-10-11) | End-to-end conflict regression suite
Added regression tests (`AdvisoryMergeServiceTests`) covering canonical + precedence flow.
Instructions to work:
Read ./AGENTS.md and merge AGENTS. Integrate the canonical merger, instrument metrics, and deliver comprehensive regression tests following ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md. | Team Merge & QA Enforcement | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDCONN-GHSA-04-002 | DONE (2025-10-12) | GHSA conflict regression fixtures | Team Connector Regression Fixtures | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDCONN-NVD-04-002 | DONE (2025-10-12) | NVD conflict regression fixtures | Team Connector Regression Fixtures | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Nvd | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDCONN-OSV-04-002 | DONE (2025-10-12) | OSV conflict regression fixtures
Instructions to work:
Read ./AGENTS.md and module AGENTS. Produce fixture triples supporting the precedence/tie-breaker paths defined in ./src/DEDUP_CONFLICTS_RESOLUTION_ALGO.md and hand them to Merge QA. | Team Connector Regression Fixtures | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDDOCS-DOCS-05-001 | DONE (2025-10-11) | Concelier Conflict Rules
Runbook published at `docs/modules/concelier/operations/conflict-resolution.md`; metrics/log guidance aligned with Sprint 3 merge counters. | Team Documentation Guild – Conflict Guidance | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 3 — Conflict Resolution Integration & Communications | FEEDDOCS-DOCS-05-002 | DONE (2025-10-16) | Conflict runbook ops rollout
Ops review completed, alert thresholds applied, and change log appended in `docs/modules/concelier/operations/conflict-resolution.md`; task closed after connector signals verified. | Team Documentation Guild – Conflict Guidance | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDMODELS-SCHEMA-04-001 | DONE (2025-10-15) | Advisory schema parity (description/CWE/canonical metric)
Extend `Advisory` and related records with description text, CWE collection, and canonical metric pointer; refresh validation + serializer determinism tests. | Team Models & Merge Leads | Path: src/Concelier/__Libraries/StellaOps.Concelier.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDCORE-ENGINE-04-003 | DONE (2025-10-15) | Canonical merger parity for new fields
Teach `CanonicalMerger` to populate description, CWEResults, and canonical metric pointer with provenance + regression coverage. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDCORE-ENGINE-04-004 | DONE (2025-10-15) | Reference normalization & freshness instrumentation cleanup
Implement URL normalization for reference dedupe, align freshness-sensitive instrumentation, and add analytics tests. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDMERGE-ENGINE-04-004 | DONE (2025-10-15) | Merge pipeline parity for new advisory fields
Ensure merge service + merge events surface description/CWE/canonical metric decisions with updated metrics/tests. | Team Merge & QA Enforcement | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDMERGE-ENGINE-04-005 | DONE (2025-10-15) | Connector coordination for new advisory fields
GHSA/NVD/OSV connectors now ship description, CWE, and canonical metric data with refreshed fixtures; merge coordination log updated and exporters notified. | Team Merge & QA Enforcement | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDEXPORT-JSON-04-001 | DONE (2025-10-15) | Surface new advisory fields in JSON exporter
Update schemas/offline bundle + fixtures once model/core parity lands.
2025-10-15: `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json.Tests` validated canonical metric/CWE emission. | Team Exporters – JSON | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDEXPORT-TRIVY-04-001 | DONE (2025-10-15) | Propagate new advisory fields into Trivy DB package
Extend Bolt builder, metadata, and regression tests for the expanded schema.
2025-10-15: `dotnet test src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb.Tests` confirmed canonical metric/CWE propagation. | Team Exporters – Trivy DB | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDCONN-GHSA-04-004 | DONE (2025-10-16) | Harden CVSS fallback so canonical metric ids persist when GitHub omits vectors; extend fixtures and document severity precedence hand-off to Merge. | Team Connector Regression Fixtures | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 4 — Schema Parity & Freshness Alignment | FEEDCONN-OSV-04-005 | DONE (2025-10-16) | Map OSV advisories lacking CVSS vectors to canonical metric ids/notes and document CWE provenance quirks; schedule parity fixture updates. | Team Connector Expansion – GHSA/NVD/OSV | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Osv | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-CORE-01-001 | DONE (2025-10-15) | Stand up canonical VEX claim/consensus records with deterministic serializers so Storage/Exports share a stable contract. | Team Excititor Core & Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-CORE-01-002 | DONE (2025-10-15) | Implement trust-weighted consensus resolver with baseline policy weights, justification gates, telemetry output, and majority/tie handling. | Team Excititor Core & Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-CORE-01-003 | DONE (2025-10-15) | Publish shared connector/exporter/attestation abstractions and deterministic query signature utilities for cache/attestation workflows. | Team Excititor Core & Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-POLICY-01-001 | DONE (2025-10-15) | Established policy options & snapshot provider covering baseline weights/overrides. | Team Excititor Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-POLICY-01-002 | DONE (2025-10-15) | Policy evaluator now feeds consensus resolver with immutable snapshots. | Team Excititor Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-POLICY-01-003 | DONE (2025-10-16) | Author policy diagnostics, CLI/WebService surfacing, and documentation updates. | Team Excititor Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-POLICY-01-004 | DONE (2025-10-16) | Implement YAML/JSON schema validation and deterministic diagnostics for operator bundles. | Team Excititor Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-POLICY-01-005 | DONE (2025-10-16) | Add policy change tracking, snapshot digests, and telemetry/logging hooks. | Team Excititor Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-STORAGE-01-001 | DONE (2025-10-15) | Mongo mapping registry plus raw/export entities and DI extensions in place. | Team Excititor Storage | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-STORAGE-01-004 | DONE (2025-10-16) | Build provider/consensus/cache class maps and related collections. | Team Excititor Storage | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-EXPORT-01-001 | DONE (2025-10-15) | Export engine delivers cache lookup, manifest creation, and policy integration. | Team Excititor Export | Path: src/Excititor/__Libraries/StellaOps.Excititor.Export | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-EXPORT-01-004 | DONE (2025-10-17) | Connect export engine to attestation client and persist Rekor metadata. | Team Excititor Export | Path: src/Excititor/__Libraries/StellaOps.Excititor.Export | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-ATTEST-01-001 | DONE (2025-10-16) | Implement in-toto predicate + DSSE builder providing envelopes for export attestation. | Team Excititor Attestation | Path: src/Excititor/__Libraries/StellaOps.Excititor.Attestation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-CONN-ABS-01-001 | DONE (2025-10-17) | Deliver shared connector context/base classes so provider plug-ins can be activated via WebService/Worker. | Team Excititor Connectors | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 5 — Excititor Core Foundations | EXCITITOR-WEB-01-001 | DONE (2025-10-17) | Scaffold minimal API host, DI, and `/excititor/status` endpoint integrating policy, storage, export, and attestation services. | Team Excititor WebService | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-WORKER-01-001 | DONE (2025-10-17) | Create Worker host with provider scheduling and logging to drive recurring pulls/reconciliation. | Team Excititor Worker | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-FMT-CSAF-01-001 | DONE (2025-10-17) | Implement CSAF normalizer foundation translating provider documents into `VexClaim` entries. | Team Excititor Formats | Path: src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-FMT-CYCLONE-01-001 | DONE (2025-10-17) | Implement CycloneDX VEX normalizer capturing `analysis` state and component references. | Team Excititor Formats | Path: src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-FMT-OPENVEX-01-001 | DONE (2025-10-17) | Implement OpenVEX normalizer to ingest attestations into canonical claims with provenance. | Team Excititor Formats | Path: src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-RH-01-001 | DONE (2025-10-17) | Ship Red Hat CSAF provider metadata discovery enabling incremental pulls. | Team Excititor Connectors – Red Hat | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-RH-01-002 | DONE (2025-10-17) | Fetch CSAF windows with ETag handling, resume tokens, quarantine on schema errors, and persist raw docs. | Team Excititor Connectors – Red Hat | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-RH-01-003 | DONE (2025-10-17) | Populate provider trust overrides (cosign issuer, identity regex) and provenance hints for policy evaluation/logging. | Team Excititor Connectors – Red Hat | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-RH-01-004 | DONE (2025-10-17) | Persist resume cursors (last updated timestamp/document hashes) in storage and reload during fetch to avoid duplicates. | Team Excititor Connectors – Red Hat | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-RH-01-005 | DONE (2025-10-17) | Register connector in Worker/WebService DI, add scheduled jobs, and document CLI triggers for Red Hat CSAF pulls. | Team Excititor Connectors – Red Hat | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-RH-01-006 | DONE (2025-10-17) | Add CSAF normalization parity fixtures ensuring RHSA-specific metadata is preserved. | Team Excititor Connectors – Red Hat | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-CISCO-01-001 | DONE (2025-10-17) | Implement Cisco CSAF endpoint discovery/auth to unlock paginated pulls. | Team Excititor Connectors – Cisco | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-CISCO-01-002 | DONE (2025-10-17) | Implement Cisco CSAF paginated fetch loop with dedupe and raw persistence support. | Team Excititor Connectors – Cisco | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-SUSE-01-001 | DONE (2025-10-17) | Build Rancher VEX Hub discovery/subscription path with offline snapshot support. | Team Excititor Connectors – SUSE | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-MS-01-001 | DONE (2025-10-17) | Deliver AAD onboarding/token cache for MSRC CSAF ingestion. | Team Excititor Connectors – MSRC | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-ORACLE-01-001 | DONE (2025-10-17) | Implement Oracle CSAF catalogue discovery with CPU calendar awareness. | Team Excititor Connectors – Oracle | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-UBUNTU-01-001 | DONE (2025-10-17) | Implement Ubuntu CSAF discovery and channel selection for USN ingestion. | Team Excititor Connectors – Ubuntu | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-OCI-01-001 | DONE (2025-10-18) | Wire OCI discovery/auth to fetch OpenVEX attestations for configured images. | Team Excititor Connectors – OCI | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-OCI-01-002 | DONE (2025-10-18) | Attestation fetch & verify loop – download DSSE attestations, trigger verification, handle retries/backoff, persist raw statements. | Team Excititor Connectors – OCI | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CONN-OCI-01-003 | DONE (2025-10-18) | Provenance metadata & policy hooks – emit image, subject digest, issuer, and trust metadata for policy weighting/logging. | Team Excititor Connectors – OCI | Path: src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 6 — Excititor Ingest & Formats | EXCITITOR-CLI-01-001 | DONE (2025-10-18) | Add `excititor` CLI verbs bridging to WebService with consistent auth and offline UX. | DevEx/CLI | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-CORE-02-001 | DONE (2025-10-19) | Context signal schema prep – extend consensus models with severity/KEV/EPSS fields and update canonical serializers. | Team Excititor Core & Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-POLICY-02-001 | DONE (2025-10-19) | Scoring coefficients & weight ceilings – add α/β options, weight boosts, and validation guidance. | Team Excititor Policy | Path: src/Excititor/__Libraries/StellaOps.Excititor.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-ATTEST-01-002 | DONE (2025-10-16) | Rekor v2 client integration – ship transparency log client with retries and offline queue. | Team Excititor Attestation | Path: src/Excititor/__Libraries/StellaOps.Excititor.Attestation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-CORE-09-501 | DONE (2025-10-18) | Define shared DTOs (ScanJob, ProgressEvent), error taxonomy, and deterministic ID/timestamp helpers aligning with `modules/scanner/architecture.md` §3–§4. | Team Scanner Core | Path: src/Scanner/__Libraries/StellaOps.Scanner.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-CORE-09-502 | DONE (2025-10-18) | Observability helpers (correlation IDs, logging scopes, metric namespacing, deterministic hashes) consumed by WebService/Worker. | Team Scanner Core | Path: src/Scanner/__Libraries/StellaOps.Scanner.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-CORE-09-503 | DONE (2025-10-18) | Security utilities: Authority client factory, OpTok caching, DPoP verifier, restart-time plug-in guardrails for scanner components. | Team Scanner Core | Path: src/Scanner/__Libraries/StellaOps.Scanner.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Build-time | SP9-BLDX-09-001 | DONE (2025-10-19) | Buildx driver scaffold + handshake with Scanner.Emit (local CAS). | BuildX Guild | Path: src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Build-time | SP9-BLDX-09-002 | DONE (2025-10-19) | OCI annotations + provenance hand-off to Attestor. | BuildX Guild | Path: src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Build-time | SP9-BLDX-09-003 | DONE (2025-10-19) | CI demo: minimal SBOM push & backend report wiring. | BuildX Guild | Path: src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Build-time | SP9-BLDX-09-004 | DONE (2025-10-19) | Stabilize descriptor nonce derivation so repeated builds emit deterministic placeholders. | BuildX Guild | Path: src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Build-time | SP9-BLDX-09-005 | DONE (2025-10-19) | Integrate determinism guard into GitHub/Gitea workflows and archive proof artifacts. | BuildX Guild | Path: src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WEB-09-101 | DONE (2025-10-18) | Minimal API host with Authority enforcement, health/ready endpoints, and restart-time plug-in loader per architecture §1, §4. | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WEB-09-102 | DONE (2025-10-18) | `/api/v1/scans` submission/status endpoints with deterministic IDs, validation, and cancellation support. | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WEB-09-104 | DONE (2025-10-19) | Configuration binding for Mongo, MinIO, queue, feature flags; startup diagnostics and fail-fast policy. | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WORKER-09-201 | DONE (2025-10-19) | Worker host bootstrap with Authority auth, hosted services, and graceful shutdown semantics. | Team Scanner Worker | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WORKER-09-202 | DONE (2025-10-19) | Lease/heartbeat loop with retry+jitter, poison-job quarantine, structured logging. | Team Scanner Worker | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WORKER-09-203 | DONE (2025-10-19) | Analyzer dispatch skeleton emitting deterministic stage progress and honoring cancellation tokens. | Team Scanner Worker | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WORKER-09-204 | DONE (2025-10-19) | Worker metrics (queue latency, stage duration, failure counts) with OpenTelemetry resource wiring. | Team Scanner Worker | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WORKER-09-205 | DONE (2025-10-19) | Harden heartbeat jitter so lease safety margin stays ≥3× and cover with regression tests + optional live queue smoke run. | Team Scanner Worker | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Policy Foundations | POLICY-CORE-09-001 | DONE | Policy schema + binder + diagnostics. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Policy Foundations | POLICY-CORE-09-002 | DONE | Policy snapshot store + revision digests. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Policy Foundations | POLICY-CORE-09-003 | DONE | `/policy/preview` API (image digest → projected verdict diff). | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — DevOps Foundations | DEVOPS-HELM-09-001 | DONE (2025-10-19) | Helm/Compose environment profiles (dev/staging/airgap) with deterministic digests. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Docs & Governance | DOCS-ADR-09-001 | DONE (2025-10-19) | Establish ADR process and template. | Docs Guild, DevEx | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Docs & Governance | DOCS-EVENTS-09-002 | DONE (2025-10-19) | Publish event schema catalog (`docs/events/`) for critical envelopes. | Docs Guild, Platform Events | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-STORAGE-09-301 | DONE (2025-10-19) | Mongo catalog schemas/indexes for images, layers, artifacts, jobs, lifecycle rules plus migrations. | Team Scanner Storage | Path: src/Scanner/__Libraries/StellaOps.Scanner.Storage | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-STORAGE-09-302 | DONE (2025-10-19) | MinIO layout, immutability policies, client abstraction, and configuration binding. | Team Scanner Storage | Path: src/Scanner/__Libraries/StellaOps.Scanner.Storage | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-STORAGE-09-303 | DONE (2025-10-19) | Repositories/services with dual-write feature flag, deterministic digests, TTL enforcement tests. | Team Scanner Storage | Path: src/Scanner/__Libraries/StellaOps.Scanner.Storage | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-QUEUE-09-401 | DONE (2025-10-19) | Queue abstraction + Redis Streams adapter with ack/claim APIs and idempotency tokens. | Team Scanner Queue | Path: src/Scanner/__Libraries/StellaOps.Scanner.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-QUEUE-09-402 | DONE (2025-10-19) | Pluggable backend support (Redis, NATS) with configuration binding, health probes, failover docs. | Team Scanner Queue | Path: src/Scanner/__Libraries/StellaOps.Scanner.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-QUEUE-09-403 | DONE (2025-10-19) | Retry + dead-letter strategy with structured logs/metrics for offline deployments. | Team Scanner Queue | Path: src/Scanner/__Libraries/StellaOps.Scanner.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDCONN-GHSA-02-001 | DONE (2025-10-12) | GHSA normalized versions & provenance
Team instructions: Read ./AGENTS.md and each module's AGENTS file. Adopt the `NormalizedVersions` array emitted by the models sprint, wiring provenance `decisionReason` where merge overrides occur. Follow ./src/FASTER_MODELING_AND_NORMALIZATION.md; report via src/Concelier/__Libraries/StellaOps.Concelier.Merge (FEEDMERGE-COORD-02-900). Progress 2025-10-11: GHSA/OSV emit normalized arrays with refreshed fixtures; CVE mapper now surfaces SemVer normalized ranges; NVD/KEV adoption pending; outstanding follow-ups include FEEDSTORAGE-DATA-02-001, FEEDMERGE-ENGINE-02-002, and rolling `src/Tools/FixtureUpdater` updates across connectors.
Progress 2025-10-20: Coordination matrix + rollout dashboard refreshed; upcoming deadlines tracked (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) with escalation path documented in FEEDMERGE-COORD-02-900. | Team Connector Normalized Versions Rollout | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Ghsa | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 1 — Stabilize In-Progress Foundations | FEEDWEB-OPS-01-006 | DONE (2025-10-19) | Rename plugin drop directory to namespaced path
Build outputs now point at `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`; defaults/docs/tests updated to reflect the new layout. | Team WebService & Authority | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-STORAGE-02-001 | DONE (2025-10-19) | Statement events & scoring signals – immutable VEX statements store, consensus signal fields, and migration `20251019-consensus-signals-statements` with tests (`dotnet test src/Excititor/__Tests/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj`, `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`). | Team Excititor Storage | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | FEEDCORE-ENGINE-07-001 | DONE (2025-10-19) | Advisory event log & asOf queries – surface immutable statements and replay capability. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | FEEDWEB-EVENTS-07-001 | DONE (2025-10-19) | Advisory event replay API – expose `/concelier/advisories/{key}/replay` with `asOf` filter, hex hashes, and conflict data. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | FEEDMERGE-ENGINE-07-001 | DONE (2025-10-20) | Conflict sets & explainers – persist conflict materialization and replay hashes for merge decisions. | BE-Merge | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mongo strengthening | FEEDSTORAGE-MONGO-08-001 | DONE (2025-10-19) | Causal-consistent Concelier storage sessions
Scoped session facilitator registered, repositories accept optional session handles, and replica-set failover tests verify read-your-write + monotonic reads. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mongo strengthening | AUTHSTORAGE-MONGO-08-001 | DONE (2025-10-19) | Harden Authority Mongo usage
Scoped Mongo sessions with majority read/write concerns wired through stores and GraphQL/HTTP pipelines; replica-set election regression validated. | Authority Core & Storage Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mongo strengthening | EXCITITOR-STORAGE-MONGO-08-001 | DONE (2025-10-19) | Causal consistency for Excititor repositories
Session-scoped repositories shipped with new Mongo records, orchestrators/workers now share scoped sessions, and replica-set failover coverage added via `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`. | Team Excititor Storage | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Platform Maintenance | EXCITITOR-STORAGE-03-001 | DONE (2025-10-19) | Statement backfill tooling – shipped admin backfill endpoint, CLI hook (`stellaops excititor backfill-statements`), integration tests, and operator runbook (`docs/dev/EXCITITOR_STATEMENT_BACKFILL.md`). | Team Excititor Storage | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | CONCELIER-EXPORT-08-201 | DONE (2025-10-19) | Mirror bundle + domain manifest – produce signed JSON aggregates for `*.stella-ops.org` mirrors. | Concelier Export Guild | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | CONCELIER-EXPORT-08-202 | DONE (2025-10-19) | Mirror-ready Trivy DB bundles – mirror options emit per-domain manifests/metadata/db archives with deterministic digests for downstream sync. | Concelier Export Guild | Path: src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | CONCELIER-WEB-08-201 | DONE (2025-10-20) | Mirror distribution endpoints – expose domain-scoped index/download APIs with auth/quota. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | DEVOPS-MIRROR-08-001 | DONE (2025-10-19) | Managed mirror deployments for `*.stella-ops.org` – Helm/Compose overlays, CDN, runbooks. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | PLUGIN-DI-08-003 | DONE (2025-10-20) | Refactor Authority identity-provider registry to resolve scoped plugin services on-demand.
Introduce factory pattern aligned with scoped lifetimes decided in coordination workshop. | Plugin Platform Guild, Authority Core | Path: src/__Libraries/StellaOps.Plugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | PLUGIN-DI-08-004 | DONE (2025-10-20) | Update Authority plugin loader to activate registrars with DI support and scoped service awareness.
Add two-phase initialization allowing scoped dependencies post-container build. | Plugin Platform Guild, Authority Core | Path: src/__Libraries/StellaOps.Plugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | PLUGIN-DI-08-005 | DONE (2025-10-20) | Provide scoped-safe bootstrap execution for Authority plugins.
Implement scope-per-run pattern for hosted bootstrap tasks and document migration guidance. | Plugin Platform Guild, Authority Core | Path: src/__Libraries/StellaOps.Plugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — DevOps Security | DEVOPS-SEC-10-301 | DONE (2025-10-20) | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0; Wave 0A prerequisites confirmed complete before remediation work. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | AUTH-DPOP-11-001 | DONE (2025-10-20) | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-WEB-15-103 | DONE (2025-10-19) | Delivery history & test-send endpoints. | Notify WebService Guild | Path: src/Notify/StellaOps.Notify.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-SLACK-15-502 | DONE (2025-10-20) | Slack health/test-send support. | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-TEAMS-15-602 | DONE (2025-10-20) | Teams health/test-send support. | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-TEAMS-15-604 | DONE (2025-10-20) | Teams health endpoint metadata alignment. | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-SLACK-15-503 | DONE (2025-10-20) | Package Slack connector as restart-time plug-in (manifest + host registration). | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-TEAMS-15-603 | DONE (2025-10-20) | Package Teams connector as restart-time plug-in (manifest + host registration). | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-EMAIL-15-703 | DONE (2025-10-20) | Package Email connector as restart-time plug-in (manifest + host registration). | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Email | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | SCANNER-EVENTS-15-201 | DONE (2025-10-20) | Emit `scanner.report.ready` + `scanner.scan.completed` events. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-CONN-WEBHOOK-15-803 | DONE (2025-10-20) | Package Webhook connector as restart-time plug-in (manifest + host registration). | Notify Connectors Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-MODELS-16-103 | DONE (2025-10-20) | Versioning/migration helpers for schedules/runs. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-QUEUE-16-401 | DONE (2025-10-20) | Queue abstraction + Redis Streams adapter. | Scheduler Queue Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-QUEUE-16-402 | DONE (2025-10-20) | NATS JetStream adapter with health probes. | Scheduler Queue Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-IMPACT-16-300 | DONE (2025-10-20) | **STUB** ImpactIndex ingest/query using fixtures (to be removed by SP16 completion). | Scheduler ImpactIndex Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | --- — --- | --- | --- | --- | --- | Path: --- | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | DOCS-CONCELIER-07-201 | DONE (2025-10-22) | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). | Docs Guild, Concelier WebService | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-WEB-01-002 | DONE (2025-10-20) | Ingest & reconcile endpoints – scope-enforced `/excititor/init`, `/excititor/ingest/run`, `/excititor/ingest/resume`, `/excititor/reconcile`; regression via `dotnet test … --filter FullyQualifiedName~IngestEndpointsTests`. | Team Excititor WebService | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-WEB-01-004 | DONE (2025-10-20) | Resolve API & signed responses – expose `/excititor/resolve`, return signed consensus/score envelopes, document auth. | Team Excititor WebService | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-WORKER-01-004 | DONE (2025-10-21) | TTL refresh & stability damper – schedule re-resolve loops and guard against status flapping. | Team Excititor Worker | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | FEEDCORE-ENGINE-07-002 | DONE (2025-10-21) | Noise prior computation service – learn false-positive priors and expose deterministic summaries. | Team Core Engine & Data Science | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | FEEDCORE-ENGINE-07-003 | DONE (2025-10-21) | Unknown state ledger & confidence seeding – persist unknown flags, seed confidence bands, expose query surface. | Team Core Engine & Storage Analytics | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-WEB-01-005 | DONE (2025-10-19) | Mirror distribution endpoints – expose download APIs for downstream Excititor instances. | Team Excititor WebService | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-EXPORT-01-005 | DONE (2025-10-21) | Score & resolve envelope surfaces – include signed consensus/score artifacts in exports. | Team Excititor Export | Path: src/Excititor/__Libraries/StellaOps.Excititor.Export | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-EXPORT-01-006 | DONE (2025-10-21) | Quiet provenance packaging – attach quieted-by statement IDs, signers, justification codes to exports and attestations. | Team Excititor Export | Path: src/Excititor/__Libraries/StellaOps.Excititor.Export | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-EXPORT-01-007 | DONE (2025-10-21) | Mirror bundle + domain manifest – publish signed consensus bundles for mirrors. | Team Excititor Export | Path: src/Excititor/__Libraries/StellaOps.Excititor.Export | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | EXCITITOR-CONN-STELLA-07-001 | DONE (2025-10-21) | Excititor mirror connector – ingest signed mirror bundles and map to VexClaims with resume handling. | Excititor Connectors – Stella | Path: src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | FEEDSTORAGE-DATA-07-001 | DONE (2025-10-19) | Advisory statement & conflict collections – provision Mongo schema/indexes for event-sourced merge. | Team Normalization & Storage Backbone | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 7 — Contextual Truth Foundations | WEB1.TRIVY-SETTINGS-TESTS | DONE (2025-10-21) | Add headless UI test run (`ng test --watch=false`) and document prerequisites once Angular tooling is chained up. | UX Specialist, Angular Eng | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | FEEDCONN-STELLA-08-001 | DONE (2025-10-20) | Concelier mirror connector – fetch mirror manifest, verify signatures, and hydrate canonical DTOs with resume support. | BE-Conn-Stella | Path: src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | FEEDCONN-STELLA-08-002 | DONE (2025-10-20) | Map mirror payloads into canonical advisory DTOs with provenance referencing mirror domain + original source metadata. | BE-Conn-Stella | Path: src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Mirror Distribution | FEEDCONN-STELLA-08-003 | DONE (2025-10-20) | Add incremental cursor + resume support (per-export fingerprint) and document configuration for downstream Concelier instances. | BE-Conn-Stella | Path: src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | PLUGIN-DI-08-001 | DONE (2025-10-21) | Scoped service support in plugin bootstrap – added dynamic plugin tests ensuring `[ServiceBinding]` metadata flows through plugin hosts and remains idempotent. | Plugin Platform Guild | Path: src/__Libraries/StellaOps.Plugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | PLUGIN-DI-08-002.COORD | DONE (2025-10-20) | Authority scoped-service integration handshake
Workshop concluded 2025-10-20 15:00–16:05 UTC; decisions + follow-ups recorded in `docs/dev/authority-plugin-di-coordination.md`. | Plugin Platform Guild, Authority Core | Path: src/__Libraries/StellaOps.Plugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | PLUGIN-DI-08-002 | DONE (2025-10-20) | Authority plugin integration updates – scoped identity-provider services with registry handles; regression coverage via scoped registrar/unit tests. | Plugin Platform Guild, Authority Core | Path: src/__Libraries/StellaOps.Plugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 8 — Plugin Infrastructure | AUTH-PLUGIN-COORD-08-002 | DONE (2025-10-20) | Coordinate scoped-service adoption for Authority plug-in registrars
Workshop notes and follow-up backlog captured 2025-10-20 in `docs/dev/authority-plugin-di-coordination.md`. | Authority Core, Plugin Platform Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-WEB-09-103 | DONE (2025-10-19) | Progress streaming (SSE/JSONL) with correlation IDs and ISO-8601 UTC timestamps, documented in API reference. | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-POLICY-09-105 | DONE (2025-10-19) | Policy snapshot loader + schema + OpenAPI (YAML ignore rules, VEX include/exclude, vendor precedence). | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-POLICY-09-106 | DONE (2025-10-19) | `/reports` verdict assembly (Conselier+Excitor+Policy) + signed response envelope. | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Scanner Core Foundations | SCANNER-POLICY-09-107 | DONE (2025-10-19) | Expose score inputs, config version, and quiet provenance in `/reports` JSON and signed payload. | Team Scanner WebService | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — DevOps Foundations | DEVOPS-SCANNER-09-204 | DONE (2025-10-21) | Surface `SCANNER__EVENTS__*` env config across Compose/Helm and document overrides. | DevOps Guild, Scanner WebService Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — DevOps Foundations | DEVOPS-SCANNER-09-205 | DONE (2025-10-21) | Notify smoke job validates Redis stream + Notify deliveries after staging deploys. | DevOps Guild, Notify Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Policy Foundations | POLICY-CORE-09-004 | DONE (2025-10-19) | Versioned scoring config with schema validation, trust table, and golden fixtures. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Policy Foundations | POLICY-CORE-09-005 | DONE (2025-10-19) | Scoring/quiet engine – compute score, enforce VEX-only quiet rules, emit inputs and provenance. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Policy Foundations | POLICY-CORE-09-006 | DONE (2025-10-19) | Unknown state & confidence decay – deterministic bands surfaced in policy outputs. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 9 — Docs & Governance | PLATFORM-EVENTS-09-401 | DONE (2025-10-21) | Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas. | Platform Events Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Benchmarks | BENCH-SCANNER-10-002 | DONE (2025-10-21) | Wire real language analyzers into bench harness & refresh baselines post-implementation. | Bench Guild, Language Analyzer Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-302 | DONE (2025-10-21) | Node analyzer handling workspaces/symlinks emitting `pkg:npm`. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-303 | DONE (2025-10-21) | Python analyzer reading `*.dist-info`, RECORD hashes, entry points. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-304 | DONE (2025-10-22) | Go analyzer leveraging buildinfo for `pkg:golang` components. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-304E | DONE (2025-10-22) | Plumb Go heuristic counter into Scanner metrics pipeline and alerting. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-305 | DONE (2025-10-22) | .NET analyzer parsing `*.deps.json`, assembly metadata, RID variants. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-306 | DONE (2025-10-22) | Rust analyzer detecting crates or falling back to `bin:{sha256}`. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-307 | DONE (2025-10-19) | Shared language evidence helpers + usage flag propagation. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-308 | DONE (2025-10-19) | Determinism + fixture harness for language analyzers. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-309 | DONE (2025-10-21) | Package language analyzers as restart-time plug-ins (manifest + host registration). | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-601 | DONE (2025-10-22) | Compose inventory SBOM (CycloneDX JSON/Protobuf) from layer fragments. | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-602 | DONE (2025-10-22) | Compose usage SBOM leveraging EntryTrace to flag actual usage. | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-603 | DONE (2025-10-22) | Generate BOM index sidecar (purl table + roaring bitmap + usage flag). | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-604 | DONE (2025-10-22) | Package artifacts for export + attestation with deterministic manifests. | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-605 | DONE (2025-10-22) | Emit BOM-Index sidecar schema/fixtures (CRITICAL PATH for SP16). | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-606 | DONE (2025-10-22) | Usage view bit flags integrated with EntryTrace. | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-EMIT-10-607 | DONE (2025-10-22) | Embed scoring inputs, confidence band, and quiet provenance in CycloneDX/DSSE artifacts. | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-CACHE-10-101 | DONE (2025-10-19) | Implement layer cache store keyed by layer digest with metadata retention per architecture §3.3. | Scanner Cache Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Cache | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-CACHE-10-102 | DONE (2025-10-19) | Build file CAS with dedupe, TTL enforcement, and offline import/export hooks. | Scanner Cache Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Cache | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-CACHE-10-103 | DONE (2025-10-19) | Expose cache metrics/logging and configuration toggles for warm/cold thresholds. | Scanner Cache Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Cache | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-CACHE-10-104 | DONE (2025-10-19) | Implement cache invalidation workflows (layer delete, TTL expiry, diff invalidation). | Scanner Cache Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Cache | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-201 | DONE (2025-10-19) | Alpine/apk analyzer emitting deterministic components with provenance. | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-202 | DONE (2025-10-19) | Debian/dpkg analyzer mapping packages to purl identity with evidence. | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-203 | DONE (2025-10-19) | RPM analyzer capturing EVR, file listings, provenance. | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-204 | DONE (2025-10-19) | Shared OS evidence helpers for package identity + provenance. | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-205 | DONE (2025-10-19) | Vendor metadata enrichment (source packages, license, CVE hints). | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-206 | DONE (2025-10-19) | Determinism harness + fixtures for OS analyzers. | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-OS-10-207 | DONE (2025-10-19) | Package OS analyzers as restart-time plug-ins (manifest + host registration). | OS Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ANALYZERS-LANG-10-301 | DONE (2025-10-19) | Java analyzer emitting `pkg:maven` with provenance. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-401 | DONE (2025-10-19) | POSIX shell AST parser with deterministic output. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-402 | DONE (2025-10-19) | Command resolution across layered rootfs with evidence attribution. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-403 | DONE (2025-10-19) | Interpreter tracing for shell wrappers to Python/Node/Java launchers. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-404 | DONE (2025-10-19) | Python entry analyzer (venv shebang, module invocation, usage flag). | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-405 | DONE (2025-10-19) | Node/Java launcher analyzer capturing script/jar targets. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-406 | DONE (2025-10-19) | Explainability + diagnostics for unresolved constructs with metrics. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-ENTRYTRACE-10-407 | DONE (2025-10-19) | Package EntryTrace analyzers as restart-time plug-ins (manifest + host registration). | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-DIFF-10-501 | DONE (2025-10-19) | Build component differ tracking add/remove/version changes with deterministic ordering. | Diff Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Diff | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-DIFF-10-502 | DONE (2025-10-19) | Attribute diffs to introducing/removing layers including provenance evidence. | Diff Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Diff | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Scanner Analyzers & SBOM | SCANNER-DIFF-10-503 | DONE (2025-10-19) | Produce JSON diff output for inventory vs usage views aligned with API contract. | Diff Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Diff | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Samples | SAMPLES-10-001 | DONE (2025-10-20) | Sample images with SBOM/BOM-Index sidecars. | Samples Guild, Scanner Team | Path: samples | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — DevOps Perf | DEVOPS-PERF-10-001 | DONE (2025-10-22) | Perf smoke job ensuring <5 s SBOM compose. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — DevOps Perf | DEVOPS-PERF-10-002 | DONE (2025-10-23) | Publish analyzer bench metrics to Grafana/perf workbook and alarm on ≥20 % regressions. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Policy Samples | SAMPLES-13-004 | DONE (2025-10-23) | Add policy preview/report fixtures showing confidence bands and unknown-age tags. | Samples Guild, Policy Guild | Path: samples | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 10 — Policy Samples | WEB-POLICY-FIXTURES-10-001 | DONE (2025-10-23) | Wire policy preview/report doc fixtures into UI harness (test utility or Storybook substitute) with type bindings and validation guard so UI stays aligned with documented payloads. | UI Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | SIGNER-API-11-101 | DONE (2025-10-21) | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | Signer Guild | Path: src/Signer/StellaOps.Signer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | SIGNER-REF-11-102 | DONE (2025-10-21) | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | Signer Guild | Path: src/Signer/StellaOps.Signer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | Signer Guild | Path: src/Signer/StellaOps.Signer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | AUTH-MTLS-11-002 | DONE (2025-10-23) | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | SCANNER-RUNTIME-12-301 | DONE (2025-10-20) | `/runtime/events` ingestion endpoint with validation, batching, storage hooks. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — UX & CLI Experience | CLI-OFFLINE-13-006 | DONE (2025-10-21) | Implement offline kit pull/import/status commands with integrity checks. | DevEx/CLI | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — UX & CLI Experience | CLI-PLUGIN-13-007 | DONE (2025-10-22) | Package non-core CLI verbs as restart-time plug-ins (manifest + loader tests). | DevEx/CLI | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — UX & CLI Experience | WEB1.DEPS-13-001 | DONE (2025-10-21) | Stabilise Angular workspace dependencies for headless CI installs (`npm install`, Chromium handling, docs). | UX Specialist, Angular Eng, DevEx | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-QUEUE-16-403 | DONE (2025-10-20) | Dead-letter handling + metrics. | Scheduler Queue Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 18 — Launch Readiness | DEVOPS-OFFLINE-18-004 | DONE (2025-10-22) | Rebuild Offline Kit bundle with Go analyzer plug-in and refreshed manifest/signature set. | Offline Kit Guild, Scanner Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | --- — --- | --- | --- | --- | --- | Path: --- | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | ATTESTOR-API-11-201 | DONE (2025-10-19) | `/rekor/entries` submission pipeline with dedupe, proof acquisition, and persistence. | Attestor Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | ATTESTOR-VERIFY-11-202 | DONE (2025-10-19) | `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. | Attestor Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Signing Chain Bring-up | ATTESTOR-OBS-11-203 | DONE (2025-10-19) | Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. | Attestor Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — Storage Platform Hardening | SCANNER-STORAGE-11-401 | DONE (2025-10-23) | Migrate scanner object storage integration from MinIO to RustFS with data migration plan. | Scanner Storage Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Storage | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 11 — UI Integration | UI-ATTEST-11-005 | DONE (2025-10-23) | Attestation visibility (Rekor id, status) on Scan Detail. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-CORE-12-201 | DONE (2025-10-23) | Define runtime event/admission DTOs, hashing helpers, and versioning strategy. | Zastava Core Guild | Path: src/Zastava/__Libraries/StellaOps.Zastava.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-CORE-12-202 | DONE (2025-10-23) | Provide configuration/logging/metrics utilities shared by Observer/Webhook. | Zastava Core Guild | Path: src/Zastava/__Libraries/StellaOps.Zastava.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-CORE-12-203 | DONE (2025-10-23) | Authority client helpers, OpTok caching, and security guardrails for runtime services. | Zastava Core Guild | Path: src/Zastava/__Libraries/StellaOps.Zastava.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-OPS-12-204 | DONE (2025-10-23) | Operational runbooks, alert rules, and dashboard exports for runtime plane. | Zastava Core Guild | Path: src/Zastava/__Libraries/StellaOps.Zastava.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-OBS-12-001 | DONE (2025-10-24) | Container lifecycle watcher emitting deterministic runtime events with buffering. | Zastava Observer Guild | Path: src/Zastava/StellaOps.Zastava.Observer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-OBS-12-002 | DONE (2025-10-24) | Capture entrypoint traces + loaded libraries, hashing binaries and linking to baseline SBOM. | Zastava Observer Guild | Path: src/Zastava/StellaOps.Zastava.Observer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-OBS-12-003 | DONE (2025-10-24) | Posture checks for signatures/SBOM/attestation with offline caching. | Zastava Observer Guild | Path: src/Zastava/StellaOps.Zastava.Observer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-OBS-12-004 | DONE (2025-10-24) | Batch `/runtime/events` submissions with disk-backed buffer and rate limits. | Zastava Observer Guild | Path: src/Zastava/StellaOps.Zastava.Observer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-WEBHOOK-12-101 | DONE (2025-10-24) | Admission controller host with TLS bootstrap and Authority auth. | Zastava Webhook Guild | Path: src/Zastava/StellaOps.Zastava.Webhook | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-WEBHOOK-12-102 | DONE (2025-10-24) | Query Scanner `/policy/runtime`, resolve digests, enforce verdicts. | Zastava Webhook Guild | Path: src/Zastava/StellaOps.Zastava.Webhook | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-WEBHOOK-12-103 | DONE (2025-10-24) | Caching, fail-open/closed toggles, metrics/logging for admission decisions. | Zastava Webhook Guild | Path: src/Zastava/StellaOps.Zastava.Webhook | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | ZASTAVA-WEBHOOK-12-104 | DONE (2025-10-24) | Wire `/admission` endpoint to runtime policy client and emit allow/deny envelopes. | Zastava Webhook Guild | Path: src/Zastava/StellaOps.Zastava.Webhook | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | SCANNER-RUNTIME-12-302 | DONE (2025-10-24) | `/policy/runtime` endpoint joining SBOM baseline + policy verdict, returning admission guidance. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | SCANNER-RUNTIME-12-303 | DONE (2025-10-24) | Align `/policy/runtime` verdicts with canonical policy evaluation (Conselier/Excitor). | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | SCANNER-RUNTIME-12-304 | DONE (2025-10-24) | Integrate attestation verification into runtime policy metadata. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 12 — Runtime Guardrails | SCANNER-RUNTIME-12-305 | DONE (2025-10-24) | Deliver shared fixtures + e2e validation with Zastava/CLI teams. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — UX & CLI Experience | UI-AUTH-13-001 | DONE (2025-10-23) | Integrate Authority OIDC + DPoP flows with session management. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — UX & CLI Experience | UI-NOTIFY-13-006 | DONE (2025-10-25) | Notify panel: channels/rules CRUD, deliveries view, test send. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — Platform Reliability | DEVOPS-NUGET-13-001 | DONE (2025-10-25) | Wire up .NET 10 preview feeds/local mirrors so `dotnet restore` succeeds offline; document updated NuGet bootstrap. | DevOps Guild, Platform Leads | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-QUEUE-15-401 | DONE (2025-10-23) | Bus abstraction + Redis Streams adapter with ordering/idempotency. | Notify Queue Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-QUEUE-15-402 | DONE (2025-10-23) | NATS JetStream adapter with health probes and failover. | Notify Queue Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-QUEUE-15-403 | DONE (2025-10-23) | Delivery queue with retry/dead-letter + metrics. | Notify Queue Guild | Path: src/Notify/__Libraries/StellaOps.Notify.Queue | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Notify Foundations | NOTIFY-WORKER-15-201 | DONE (2025-10-23) | Bus subscription + leasing loop with backoff. | Notify Worker Guild | Path: src/Notify/StellaOps.Notify.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | ZASTAVA-OBS-17-005 | DONE (2025-10-25) | Collect GNU build-id during runtime observation and attach it to emitted events. | Zastava Observer Guild | Path: src/Zastava/StellaOps.Zastava.Observer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | SCANNER-RUNTIME-17-401 | DONE (2025-10-25) | Persist runtime build-id observations and expose them for debug-symbol correlation. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | --- — --- | --- | --- | --- | --- | Path: --- | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — Platform Reliability | DEVOPS-NUGET-13-002 | DONE (2025-10-26) | Ensure all solutions/projects prioritize `local-nuget` before public feeds and add restore-order validation. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 13 — Platform Reliability | DEVOPS-NUGET-13-003 | DONE (2025-10-26) | Upgrade `Microsoft.*` dependencies pinned to 8.* to their latest .NET 10 (or 9.x) releases and refresh guidance. | DevOps Guild, Platform Leads | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 14 — Release & Offline Ops | DEVOPS-OPS-14-003 | DONE (2025-10-26) | Deployment/update/rollback automation and channel management documentation. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 14 — Release & Offline Ops | DEVOPS-REL-14-001 | DONE (2025-10-26) | Deterministic build/release pipeline with SBOM/provenance, signing, and manifest generation. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 14 — Release & Offline Ops | DEVOPS-REL-14-004 | DONE (2025-10-26) | Extend release/offline smoke jobs to cover Python analyzer plug-ins (warm/cold, determinism, signing). | DevOps Guild, Scanner Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 14 — Release & Offline Ops | DEVOPS-LIC-14-004 | DONE (2025-10-26) | Registry token service tied to Authority, plan gating, revocation handling, monitoring. | Licensing Guild | Path: ops/licensing | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 14 — Release & Offline Ops | DEVOPS-OFFLINE-14-002 | DONE (2025-10-26) | Offline kit packaging workflow with integrity verification and documentation. | Offline Kit Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 15 — Benchmarks | BENCH-NOTIFY-15-001 | DONE (2025-10-26) | Notify dispatch throughput bench with results CSV. | Bench Guild, Notify Team | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-MODELS-16-101 | DONE (2025-10-19) | Define Scheduler DTOs & validation. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-MODELS-16-102 | DONE (2025-10-19) | Publish schema docs/sample payloads. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-STORAGE-16-201 | DONE (2025-10-19) | Mongo schemas/indexes for Scheduler state. | Scheduler Storage Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-STORAGE-16-202 | DONE (2025-10-26) | Repositories with tenant scoping, TTL, causal consistency. | Scheduler Storage Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-STORAGE-16-203 | DONE (2025-10-26) | Audit/run stats materialization for UI. | Scheduler Storage Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-IMPACT-16-302 | DONE (2025-10-26) | Query APIs for ResolveByPurls/ResolveByVulns/ResolveAll. | Scheduler ImpactIndex Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-IMPACT-16-301 | DONE (2025-10-26) | Ingest BOM-Index into roaring bitmap store. | Scheduler ImpactIndex Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WEB-16-102 | DONE (2025-10-26) | Schedules CRUD (cron validation, pause/resume, audit). | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WEB-16-103 | DONE (2025-10-26) | Runs API (list/detail/cancel) + impact previews. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WEB-16-104 | DONE (2025-10-27) | Conselier/Excitor webhook handlers with security enforcement. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | DOCS-RUNTIME-17-004 | DONE (2025-10-26) | Document build-id workflows for SBOMs, runtime events, and debug-store usage. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | DEVOPS-REL-17-002 | DONE (2025-10-26) | Ship stripped debug artifacts organised by build-id within release/offline kits. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | DEVOPS-OFFLINE-17-003 | DONE (2025-10-26) | Mirror release debug-store artefacts into Offline Kit packaging and document validation. | Offline Kit Guild, DevOps Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | SCANNER-EMIT-17-701 | DONE (2025-10-26) | Record GNU build-id for ELF components and surface it in SBOM/diff outputs. | Emit Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Emit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 18 — Launch Readiness | DEVOPS-LAUNCH-18-001 | DONE (2025-10-26) | Production launch cutover rehearsal and runbook publication. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 18 — Launch Readiness | DEVOPS-OFFLINE-18-005 | DONE (2025-10-26) | Rebuild Offline Kit with Python analyzer artefacts and refreshed manifest/signature pair. | Offline Kit Guild, Scanner Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-001 | DONE (2025-10-26) | Publish aggregation-only contract reference documentation. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-002 | DONE (2025-10-26) | Update architecture overview with AOC boundary diagrams. | Docs Guild, Architecture Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-003 | DONE (2025-10-26) | Refresh policy engine doc with raw ingestion constraints. | Docs Guild, Policy Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-004 | DONE (2025-10-26) | Document console AOC dashboard and drill-down flow. | Docs Guild, UI Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-005 | DONE (2025-10-26) | Document CLI AOC commands and exit codes. | Docs Guild, CLI Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-006 | DONE (2025-10-26) | Document new AOC metrics, traces, and logs. | Docs Guild, Observability Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-007 | DONE (2025-10-26) | Document new Authority scopes and tenancy enforcement. | Docs Guild, Authority Core | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DOCS-AOC-19-008 | DONE (2025-10-26) | Update deployment guide with validator enablement and verify user guidance. | Docs Guild, DevOps Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | AUTH-AOC-19-001 | DONE (2025-10-26) | Introduce new ingestion/auth scopes across Authority. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-001 | DONE (2025-10-26) | Publish `/docs/policy/overview.md` with compliance checklist. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-002 | DONE (2025-10-26) | Document DSL grammar + examples in `/docs/policy/dsl.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-003 | DONE (2025-10-26) | Write `/docs/policy/lifecycle.md` covering workflow + roles. | Docs Guild, Authority Core | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-004 | DONE (2025-10-26) | Document policy run modes + cursors in `/docs/policy/runs.md`. | Docs Guild, Scheduler Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-005 | DONE (2025-10-26) | Produce `/docs/api/policy.md` with endpoint schemas + errors. | Docs Guild, Platform Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-006 | DONE (2025-10-26) | Author `/docs/modules/cli/guides/policy.md` with commands, exit codes, JSON output. | Docs Guild, CLI Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-007 | DONE (2025-10-26) | Create `/docs/ui/policy-editor.md` covering editor, simulation, approvals. | Docs Guild, UI Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-008 | DONE (2025-10-26) | Publish `/docs/modules/policy/architecture.md` with sequence diagrams. | Docs Guild, Architecture Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-009 | DONE (2025-10-26) | Document metrics/traces/logs in `/docs/observability/policy.md`. | Docs Guild, Observability Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-010 | DONE (2025-10-26) | Publish `/docs/security/policy-governance.md` for scopes + approvals. | Docs Guild, Security Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-011 | DONE (2025-10-26) | Add example policies under `/docs/examples/policies/` with commentary. | Docs Guild, Policy Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DOCS-POLICY-20-012 | DONE (2025-10-26) | Draft `/docs/faq/policy-faq.md` covering conflicts, determinism, pitfalls. | Docs Guild, Support Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DEVOPS-POLICY-20-001 | DONE (2025-10-26) | Add DSL lint + compile checks to CI pipelines. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DEVOPS-POLICY-20-003 | DONE (2025-10-26) | Add determinism CI job diffing repeated policy runs. | DevOps Guild, QA Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SAMPLES-POLICY-20-001 | DONE (2025-10-26) | Commit baseline/serverless/internal-only policy samples + fixtures. | Samples Guild, Policy Guild | Path: samples | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SAMPLES-POLICY-20-002 | DONE (2025-10-26) | Produce simulation diff fixtures for UI/CLI tests. | Samples Guild, UI Guild | Path: samples | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | AUTH-POLICY-20-001 | DONE (2025-10-26) | Add new policy scopes (`policy:*`, `findings:read`, `effective:write`). | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | AUTH-POLICY-20-002 | DONE (2025-10-26) | Enforce Policy Engine service identity and scope checks at gateway. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | AUTH-POLICY-20-003 | DONE (2025-10-26) | Update Authority docs/config samples for policy scopes + workflows. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | BENCH-POLICY-20-001 | DONE (2025-10-26) | Create policy evaluation benchmark suite + baseline metrics. | Bench Guild, Policy Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-000 | DONE (2025-10-26) | Spin up new Policy Engine service host with DI bootstrap and Authority wiring. | Policy Guild, Platform Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-001 | DONE (2025-10-26) | Deliver `stella-dsl@1` parser + IR compiler with diagnostics and checksums. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-MODELS-20-001 | DONE (2025-10-26) | Define policy run/diff DTOs + validation helpers. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | AUTH-GRAPH-21-001 | DONE (2025-10-26) | Introduce graph scopes (`graph:*`) with configuration binding and defaults. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | AUTH-GRAPH-21-002 | DONE (2025-10-26) | Enforce graph scopes/identities at gateway with tenant propagation. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | AUTH-GRAPH-21-003 | DONE (2025-10-26) | Update security docs/config samples for graph access and least privilege. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SCHED-MODELS-21-001 | DONE (2025-10-26) | Define job DTOs for graph builds/overlay refresh (`GraphBuildJob`, `GraphOverlayJob`) with deterministic serialization and status enums; document in `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/docs/SCHED-MODELS-21-001-GRAPH-JOBS.md`. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SCHED-MODELS-21-002 | DONE (2025-10-26) | Publish schema docs/sample payloads for graph job lifecycle. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | BENCH-LNM-22-001 | DONE (2025-10-26) | Benchmark advisory observation ingest/correlation throughput. | Bench Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | BENCH-LNM-22-002 | DONE (2025-10-26) | Benchmark VEX ingest/correlation latency and event emission. | Bench Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-001 | DONE (2025-10-26) | Publish `/docs/ui/console-overview.md` (IA, tenant model, filters, AOC alignment). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-002 | DONE (2025-10-26) | Author `/docs/ui/navigation.md` with route map, filters, keyboard shortcuts, deep links. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-003 | DONE (2025-10-26) | Document `/docs/ui/sbom-explorer.md` covering catalog, graph, overlays, exports. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-004 | DONE (2025-10-26) | Produce `/docs/ui/advisories-and-vex.md` detailing aggregation-not-merge UX. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-005 | DONE (2025-10-26) | Write `/docs/ui/findings.md` with filters, explain, exports, CLI parity notes. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-006 | DONE (2025-10-26) | Publish `/docs/ui/policies.md` (editor, simulation, approvals, RBAC). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-007 | DONE (2025-10-26) | Document `/docs/ui/runs.md` with SSE monitoring, diff, retries, evidence downloads. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-008 | DONE (2025-10-26) | Draft `/docs/ui/admin.md` covering tenants, roles, tokens, integrations, fresh-auth. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-009 | DONE (2025-10-27) | Publish `/docs/ui/downloads.md` aligning manifest with commands and offline flow. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-010 | DONE (2025-10-27) | Write `/docs/deploy/console.md` (Helm, ingress, TLS, env vars, health checks). | Docs Guild, Deployment Guild, Console Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WEB-21-001 | DONE (2025-10-26) | Provide graph build/overlay job APIs; see `docs/SCHED-WEB-21-001-GRAPH-APIS.md`. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WEB-21-002 | DONE (2025-10-26) | Provide overlay lag metrics endpoint/webhook; see `docs/SCHED-WEB-21-001-GRAPH-APIS.md`. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WEB-21-003 | DONE (2025-10-26) | Replace header auth with Authority scopes using `StellaOpsScopes`; dev fallback only when `Scheduler:Authority:Enabled=false`. | Scheduler WebService Guild, Authority Core Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DEVOPS-OBS-50-001 | DONE (2025-10-26) | Deploy default OpenTelemetry collector manifests with secure OTLP pipeline. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DEVOPS-OBS-50-003 | DONE (2025-10-26) | Package telemetry stack configs for offline/air-gapped installs with signatures. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WEB-16-101 | DONE (2025-10-27) | Minimal API host with Authority enforcement. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WORKER-16-202 | DONE (2025-10-27) | ImpactIndex targeting and shard planning. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | --- — --- | --- | --- | --- | --- | Path: --- | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WORKER-16-203 | DONE (2025-10-27) | Runner execution invoking Scanner analysis/content refresh. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WORKER-16-204 | DONE (2025-10-27) | Emit rescan/report events for Notify/UI. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WORKER-16-205 | DONE (2025-10-27) | Metrics/telemetry for Scheduler planners/runners. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | AUTH-AOC-19-002 | DONE (2025-10-27) | Enforce tenant claim propagation and cross-tenant guardrails. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | AUTH-AOC-19-003 | DONE (2025-10-27) | Update Authority docs/config samples for new scopes. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-WEB-AOC-19-001 | DONE (2025-10-28) | Implement raw advisory ingestion endpoints with AOC guard and verifier. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WORKER-AOC-19-003 | DONE (2025-10-28) | Expand worker tests for deterministic batching and restart safety. | QA Guild | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DEVOPS-POLICY-20-004 | DONE (2025-10-27) | Automate policy schema exports and change notifications for CLI consumers. | DevOps Guild, Scheduler Guild, CLI Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | CLI-POLICY-20-002 | DONE (2025-10-27) | Implement `stella policy simulate` with diff outputs + exit codes. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CARTO-GRAPH-21-010 | DONE (2025-10-27) | Replace hard-coded `graph:*` scope strings with shared constants once graph services integrate. | Cartographer Guild | Path: src/Cartographer/StellaOps.Cartographer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SCHED-WEB-21-002 | DONE (2025-10-26) | Expose overlay lag metrics and job completion hooks for Cartographer. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-011 | DONE (2025-10-28) | Update `/docs/install/docker.md` to include console image, compose/Helm/offline examples. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-012 | DONE (2025-10-28) | Publish `/docs/security/console-security.md` covering OIDC, scopes, CSP, evidence handling. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-013 | DONE (2025-10-28) | Write `/docs/observability/ui-telemetry.md` cataloguing metrics/logs/dashboards/alerts. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-014 | DONE (2025-10-28) | Maintain `/docs/cli-vs-ui-parity.md` matrix with CI drift detection guidance. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-016 | DONE (2025-10-28) | Refresh `/docs/accessibility.md` with console keyboard flows, tokens, testing tools.
2025-10-28: Published guide covering keyboard matrix, screen-reader behaviour, colour tokens, testing workflow, offline guidance, and compliance checklist. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-004 | DONE (2025-10-27) | Document policy exception effects + simulation. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | POLICY-ENGINE-70-001 | DONE (2025-10-27) | Add exception evaluation layer with specificity + effects. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | POLICY-EXC-25-001 | DONE (2025-10-27) | Extend SPL schema to reference exception effects and routing. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | --- — --- | --- | --- | --- | --- | Path: --- | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 16 — Scheduler Intelligence | SCHED-WORKER-16-201 | DOING (2025-10-27) | Planner loop (cron/event triggers, leases, fairness). | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | DEVOPS-OFFLINE-17-004 | BLOCKED (2025-10-26) | Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit. | Offline Kit Guild, DevOps Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 17 — Symbol Intelligence & Forensics | DEVOPS-REL-17-004 | BLOCKED (2025-10-26) | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DEVOPS-AOC-19-001 | BLOCKED (2025-10-26) | Integrate AOC analyzer/guard enforcement into CI pipelines. | DevOps Guild, Platform Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | Add CI stage running `stella aoc verify` against seeded snapshots. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | Enforce guard coverage thresholds and export metrics to dashboards. | DevOps Guild, QA Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CLI-AOC-19-001 | DOING (2025-10-27) | Implement `stella sources ingest --dry-run` command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CLI-AOC-19-002 | TODO | Implement `stella aoc verify` command with exit codes. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CLI-AOC-19-003 | TODO | Update CLI reference and quickstart docs for new AOC commands. | Docs/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-CORE-AOC-19-001 | TODO | Implement AOC repository guard rejecting forbidden fields. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-CORE-AOC-19-002 | TODO | Deliver deterministic linkset extraction for advisories. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-CORE-AOC-19-003 | TODO | Enforce idempotent append-only upsert with supersedes pointers. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-CORE-AOC-19-004 | DOING (2025-10-28) | Remove ingestion normalization; defer derived logic to Policy Engine. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-CORE-AOC-19-013 | TODO | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-STORE-AOC-19-001 | TODO | Add Mongo schema validator for `advisory_raw`. | Concelier Storage Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-STORE-AOC-19-002 | TODO | Create idempotency unique index backed by migration scripts. | Concelier Storage Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-STORE-AOC-19-003 | TODO | Deliver append-only migration/backfill plan with supersedes chaining. | Concelier Storage Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-STORE-AOC-19-004 | TODO | Document validator deployment steps for online/offline clusters. | Concelier Storage Guild, DevOps Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-WEB-AOC-19-002 | TODO | Emit AOC observability metrics, traces, and structured logs. | Concelier WebService Guild, Observability Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-WEB-AOC-19-003 | TODO | Add schema/guard unit tests covering AOC error codes. | QA Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | CONCELIER-WEB-AOC-19-004 | TODO | Build integration suite validating deterministic ingest under load. | Concelier WebService Guild, QA Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-CORE-AOC-19-001 | TODO | Introduce VEX repository guard enforcing AOC invariants. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-CORE-AOC-19-002 | TODO | Build deterministic VEX linkset extraction. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-CORE-AOC-19-003 | TODO | Enforce append-only idempotent VEX raw upserts. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-CORE-AOC-19-004 | TODO | Remove ingestion consensus logic; rely on Policy Engine. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-CORE-AOC-19-013 | TODO | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-STORE-AOC-19-001 | TODO | Add Mongo schema validator for `vex_raw`. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-STORE-AOC-19-002 | TODO | Create idempotency unique index for VEX raw documents. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-STORE-AOC-19-003 | TODO | Deliver append-only migration/backfill for VEX raw collections. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-STORE-AOC-19-004 | TODO | Document validator deployment for Excititor clusters/offline kit. | Excititor Storage Guild, DevOps Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WEB-AOC-19-001 | TODO | Implement raw VEX ingestion and AOC verifier endpoints. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WEB-AOC-19-002 | TODO | Emit AOC metrics/traces/logging for Excititor ingestion. | Excititor WebService Guild, Observability Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WEB-AOC-19-003 | TODO | Add AOC guard test harness for VEX schemas. | QA Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WEB-AOC-19-004 | TODO | Validate large VEX ingest runs and CLI verification parity. | Excititor WebService Guild, QA Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — Surface Sharing Foundations | SURFACE-FS-01 | TODO | Author Surface.FS cache specification and cross-module contract. | Scanner Guild, Zastava Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — Surface Sharing Foundations | SURFACE-ENV-01 | TODO | Draft Surface.Env variable matrix for Scanner/Zastava deployments. | Scanner Guild, Ops Guild, Zastava Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — Surface Sharing Foundations | SURFACE-SECRETS-01 | TODO | Define Surface.Secrets schema and rotation guidance. | Scanner Guild, Security Guild, Zastava Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — Surface Sharing Foundations | SURFACE-VAL-01 | TODO | Design validator framework for shared Surface checks and extensibility. | Scanner Guild, Security Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WORKER-AOC-19-001 | TODO | Rewire worker to persist raw VEX docs with guard enforcement. | Excititor Worker Guild | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | EXCITITOR-WORKER-AOC-19-002 | TODO | Enforce signature/checksum verification prior to raw writes. | Excititor Worker Guild | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | POLICY-AOC-19-001 | TODO | Add lint preventing ingestion modules from referencing Policy-only helpers. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | POLICY-AOC-19-002 | TODO | Enforce Policy-only writes to `effective_finding_*` collections. | Policy Guild, Security Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | POLICY-AOC-19-003 | TODO | Update Policy readers to consume only raw document fields. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | POLICY-AOC-19-004 | TODO | Add determinism tests for raw-driven policy recomputation. | Policy Guild, QA Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | UI-AOC-19-001 | TODO | Add Sources dashboard tiles surfacing AOC status and violations. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | UI-AOC-19-002 | TODO | Build violation drill-down view for offending documents. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | UI-AOC-19-003 | TODO | Wire "Verify last 24h" action and CLI parity messaging. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | WEB-AOC-19-001 | DOING (2025-10-26) | Provide shared AOC forbidden key set and guard middleware. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | WEB-AOC-19-002 | TODO | Ship provenance builder and signature helpers for ingestion services. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 19 — Aggregation-Only Contract Enforcement | WEB-AOC-19-003 | TODO | Author analyzer + shared test fixtures for guard compliance. | BE-Base Platform Guild, QA Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | DEVOPS-POLICY-20-002 | BLOCKED (waiting on POLICY-ENGINE-20-006) | Run `stella policy simulate` CI stage against golden SBOMs. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | BENCH-POLICY-20-002 | BLOCKED (waiting on SCHED-WORKER-20-302) | Add incremental run benchmark capturing delta SLA compliance. | Bench Guild, Scheduler Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | CLI-POLICY-20-003 | TODO | Extend `stella findings` commands with policy filters and explain view. | DevEx/CLI Guild, Docs Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | CONCELIER-POLICY-20-002 | TODO | Strengthen linkset builders with equivalence tables + range parsing. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | CONCELIER-POLICY-20-003 | TODO | Add advisory selection cursors + change-stream checkpoints for policy runs. | Concelier Storage Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | CONCELIER-POLICY-20-001 | TODO | Provide advisory selection endpoints for policy engine (batch PURL/ID). | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | EXCITITOR-POLICY-20-002 | TODO | Enhance VEX linkset scope + version resolution for policy accuracy. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | EXCITITOR-POLICY-20-003 | TODO | Introduce VEX selection cursors + change-stream checkpoints. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | EXCITITOR-POLICY-20-001 | TODO | Ship VEX selection APIs aligned with policy join requirements. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | Implement deterministic rule evaluator with priority/first-match semantics. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-003 | TODO | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | Policy Guild, Concelier Core, Excititor Core | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-004 | TODO | Materialize effective findings with append-only history and tenant scoping. | Policy Guild, Storage Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-005 | TODO | Enforce determinism guard banning wall-clock, RNG, and network usage. | Policy Guild, Security Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-006 | TODO | Implement incremental orchestrator reacting to change streams. | Policy Guild, Scheduler Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-007 | TODO | Emit policy metrics, traces, and sampled rule-hit logs. | Policy Guild, Observability Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-008 | TODO | Add unit/property/golden/perf suites verifying determinism + SLA. | Policy Guild, QA Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | POLICY-ENGINE-20-009 | TODO | Define Mongo schemas/indexes + migrations for policies/runs/findings. | Policy Guild, Storage Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-MODELS-20-002 | TODO | Update schema docs with policy run lifecycle samples. | Scheduler Models Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Models | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-WEB-20-001 | TODO | Expose policy run scheduling APIs with scope enforcement. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-WEB-20-002 | TODO | Provide simulation trigger endpoint returning diff metadata. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-WORKER-20-301 | TODO | Schedule policy runs via API with idempotent job tracking. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-WORKER-20-302 | TODO | Implement delta targeting leveraging change streams + policy metadata. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | SCHED-WORKER-20-303 | TODO | Expose policy scheduling metrics/logs with policy/run identifiers. | Scheduler Worker Guild, Observability Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | UI-POLICY-20-001 | TODO | Ship Monaco-based policy editor with inline diagnostics + checklists. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | UI-POLICY-20-002 | TODO | Build simulation panel with deterministic diff rendering + virtualization. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | UI-POLICY-20-003 | TODO | Implement submit/review/approve workflow with RBAC + audit trail. | UI Guild, Product Ops | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | UI-POLICY-20-004 | TODO | Add run dashboards (heatmap/VEX wins/suppressions) with export. | UI Guild, Observability Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | WEB-POLICY-20-001 | TODO | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | WEB-POLICY-20-002 | TODO | Add pagination, filters, deterministic ordering to policy listings. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | WEB-POLICY-20-003 | TODO | Map engine errors to `ERR_POL_*` responses with contract tests. | BE-Base Platform Guild, QA Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 20 — Policy Engine v2 | WEB-POLICY-20-004 | TODO | Introduce rate limits/quotas + metrics for simulation endpoints. | Platform Reliability Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | BENCH-GRAPH-21-001 | BLOCKED (2025-10-27) | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. | Bench Guild, Graph Platform Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | BENCH-GRAPH-21-002 | BLOCKED (2025-10-27) | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. | Bench Guild, UI Guild | Path: src/Bench/StellaOps.Bench | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CONCELIER-GRAPH-21-001 | BLOCKED (2025-10-27) | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Requires finalized schemas from `CONCELIER-POLICY-20-002` and Cartographer event contract (`CARTO-GRAPH-21-002`). | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | CONCELIER-GRAPH-21-002 | BLOCKED (2025-10-27) | Publish SBOM change events with tenant metadata for graph builds. Awaiting projection schema from `CONCELIER-GRAPH-21-001` and Cartographer webhook expectations. | Concelier Core & Scheduler Guilds | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | EXCITITOR-GRAPH-21-001 | BLOCKED (2025-10-27) | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | EXCITITOR-GRAPH-21-002 | BLOCKED (2025-10-27) | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | EXCITITOR-GRAPH-21-005 | BLOCKED (2025-10-27) | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-001 | BLOCKED (2025-10-27) | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (`CONCELIER-GRAPH-21-001`). | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. | SBOM Service & Scheduler Guilds | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. | SBOM Service & Observability Guilds | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | WEB-GRAPH-21-001 | BLOCKED (2025-10-27) | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (`GRAPH-API-28-003`) and Authority scope work (`AUTH-VULN-24-001`) pending. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | WEB-GRAPH-21-002 | BLOCKED (2025-10-27) | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | WEB-GRAPH-21-003 | BLOCKED (2025-10-27) | Map graph errors to `ERR_Graph_*` and support export streaming. Requires `WEB-GRAPH-21-001`. | BE-Base Platform & QA Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 21 — Graph Explorer v1 | WEB-GRAPH-21-004 | BLOCKED (2025-10-27) | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (`POLICY-ENGINE-30-002`). | BE-Base & Policy Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | DOCS-LNM-22-001 | BLOCKED (2025-10-27) | Publish advisories aggregation doc with observation/linkset philosophy. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | DOCS-LNM-22-002 | BLOCKED (2025-10-27) | Publish VEX aggregation doc describing observation/linkset flow. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | DOCS-LNM-22-005 | BLOCKED (2025-10-27) | Document UI evidence panel with conflict badges/AOC drill-down. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | DEVOPS-LNM-22-001 | BLOCKED (2025-10-27) | Execute advisory observation/linkset migration/backfill and automation. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | Run VEX observation/linkset migration/backfill with monitoring/runbook. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | SAMPLES-LNM-22-001 | BLOCKED (2025-10-27) | Add advisory observation/linkset fixtures with conflicts. | Samples Guild | Path: samples | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | SAMPLES-LNM-22-002 | BLOCKED (2025-10-27) | Add VEX observation/linkset fixtures with status disagreements. | Samples Guild | Path: samples | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | AUTH-AOC-22-001 | TODO | Roll out new advisory/vex ingest/read scopes. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CLI-LNM-22-001 | TODO | Implement advisory observation/linkset CLI commands with JSON/OSV export. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CLI-LNM-22-002 | TODO | Implement VEX observation/linkset CLI commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CONCELIER-LNM-21-001 | TODO | Define immutable advisory observation schema with AOC metadata. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CONCELIER-LNM-21-002 | TODO | Implement advisory linkset builder with correlation signals/conflicts. | Concelier Core Guild, Data Science Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | MERGE-LNM-21-002 | TODO | Deprecate merge service and enforce observation-only pipeline. | BE-Merge | Path: src/Concelier/__Libraries/StellaOps.Concelier.Merge | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CONCELIER-LNM-21-101 | TODO | Provision observations/linksets collections and indexes. | Concelier Storage Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CONCELIER-LNM-21-102 | TODO | Backfill legacy merged advisories into observations/linksets with rollback tooling. | Concelier Storage & DevOps Guilds | Path: src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CONCELIER-LNM-21-201 | TODO | Ship advisory observation read APIs with pagination/RBAC. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | CONCELIER-LNM-21-202 | TODO | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | EXCITITOR-LNM-21-001 | TODO | Define immutable VEX observation model. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | EXCITITOR-LNM-21-002 | TODO | Build VEX linkset correlator with confidence/conflict recording. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | EXCITITOR-LNM-21-101 | TODO | Provision VEX observation/linkset collections and indexes. | Excititor Storage Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | EXCITITOR-LNM-21-102 | TODO | Backfill legacy VEX data into observations/linksets with rollback scripts. | Excititor Storage & DevOps Guilds | Path: src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | EXCITITOR-LNM-21-201 | TODO | Expose VEX observation APIs with filters/pagination and RBAC. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | EXCITITOR-LNM-21-202 | TODO | Implement VEX linkset endpoints + exports with evidence payloads. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | POLICY-ENGINE-40-001 | TODO | Update severity selection to handle multiple source severities per linkset. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | POLICY-ENGINE-40-002 | TODO | Integrate VEX linkset conflicts into effective findings/explain traces. | Policy Guild, Excititor Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | SCANNER-LNM-21-001 | TODO | Update report/runtime payloads to consume linksets and surface source evidence. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | UI-LNM-22-001 | TODO | Deliver Evidence panel with policy banner and source observations. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | UI-LNM-22-003 | TODO | Add VEX evidence tab with conflict indicators and exports. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | WEB-LNM-21-001 | TODO | Surface advisory observation/linkset APIs through gateway with RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 22 — Link-Not-Merge v1 | WEB-LNM-21-002 | TODO | Expose VEX observation/linkset endpoints with export handling. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-015 | TODO | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-017 | TODO | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOCS-CONSOLE-23-018 | TODO | Execute console security checklist and record Security Guild sign-off. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DOWNLOADS-CONSOLE-23-001 | TODO | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | DEVOPS-CONSOLE-23-002 | TODO | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | AUTH-CONSOLE-23-001 | TODO | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | AUTH-CONSOLE-23-002 | TODO | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | AUTH-CONSOLE-23-003 | TODO | Update security docs/sample configs for Console flows, CSP, and session policies. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | CONCELIER-CONSOLE-23-001 | TODO | Surface `/console/advisories` aggregation views with per-source metadata and filters. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | CONCELIER-CONSOLE-23-002 | TODO | Provide advisory delta metrics API for dashboard + live status ticker. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | CONCELIER-CONSOLE-23-003 | TODO | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | EXCITITOR-CONSOLE-23-001 | TODO | Expose `/console/vex` aggregation endpoints with precedence and provenance. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | EXCITITOR-CONSOLE-23-002 | TODO | Publish VEX override delta metrics feeding dashboard/status ticker. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | EXCITITOR-CONSOLE-23-003 | TODO | Implement VEX search helpers for global search and explain drill-downs. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | EXPORT-CONSOLE-23-001 | TODO | Implement evidence bundle/export generator with signed manifests and telemetry. | Policy Guild, Scheduler Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | POLICY-CONSOLE-23-001 | TODO | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | POLICY-CONSOLE-23-002 | TODO | Expose simulation diff + approval state metadata for policy workspace scenarios. | Policy Guild, Product Ops | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | SBOM-CONSOLE-23-001 | TODO | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | SBOM-CONSOLE-23-002 | TODO | Provide component lookup/neighborhood endpoints for global search and overlays. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | SCHED-CONSOLE-23-001 | TODO | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | SCHED-WORKER-CONSOLE-23-201 | TODO | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | SCHED-WORKER-CONSOLE-23-202 | TODO | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | WEB-CONSOLE-23-001 | TODO | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | WEB-CONSOLE-23-002 | TODO | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. | BE-Base Platform Guild, Scheduler Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | WEB-CONSOLE-23-003 | TODO | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | BE-Base Platform Guild, Policy Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | WEB-CONSOLE-23-004 | TODO | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 23 — StellaOps Console | WEB-CONSOLE-23-005 | TODO | Serve `/console/downloads` manifest with signed image metadata and offline guidance. | BE-Base Platform Guild, DevOps Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | AUTH-VULN-24-001 | TODO | Extend scopes (`vuln:view`/`vuln:investigate`/`vuln:operate`/`vuln:audit`) and signed permalinks. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | CONCELIER-GRAPH-24-001 | TODO | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | EXCITITOR-GRAPH-24-001 | TODO | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | POLICY-ENGINE-60-001 | TODO | Maintain Redis effective decision maps for overlays. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | POLICY-ENGINE-60-002 | TODO | Provide simulation bridge for graph what-if APIs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | UI-GRAPH-24-001 | TODO | Build Graph Explorer canvas with virtualization. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 24 — Graph & Vuln Explorer v1 | UI-GRAPH-24-002 | TODO | Implement overlays (Policy/Evidence/License/Exposure). | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-001 | TODO | Document exception governance concepts/workflow. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-002 | TODO | Document approvals routing / MFA requirements. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-003 | TODO | Publish API documentation for exceptions endpoints. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-005 | TODO | Document UI exception center + badges. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-006 | TODO | Update CLI docs for exception commands. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | DOCS-EXC-25-007 | TODO | Write migration guide for governed exceptions. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | AUTH-EXC-25-001 | TODO | Introduce exception scopes and routing matrix with MFA. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | AUTH-EXC-25-002 | TODO | Update docs/config samples for exception governance. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | CLI-EXC-25-001 | TODO | Implement CLI exception workflow commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | CLI-EXC-25-002 | TODO | Extend policy simulate with exception overrides. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | POLICY-ENGINE-70-002 | TODO | Create exception collections/bindings storage + repos. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | POLICY-ENGINE-70-003 | TODO | Implement Redis exception cache + invalidation. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | POLICY-ENGINE-70-004 | TODO | Add metrics/tracing/logging for exception application. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | POLICY-ENGINE-70-005 | TODO | Hook workers/events for activation/expiry. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | SCHED-WORKER-25-101 | TODO | Implement exception lifecycle worker for activation/expiry. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | SCHED-WORKER-25-102 | TODO | Add expiring notification job & metrics. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | UI-EXC-25-001 | TODO | Deliver Exception Center (list/kanban) with workflows. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | UI-EXC-25-002 | TODO | Build exception creation wizard with scope/timebox guardrails. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | UI-EXC-25-003 | TODO | Add inline exception drafting/proposing from explorers. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | UI-EXC-25-004 | TODO | Surface badges/countdowns/explain integration. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | WEB-EXC-25-001 | TODO | Ship exception CRUD + workflow API endpoints. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | WEB-EXC-25-002 | TODO | Extend policy endpoints to include exception metadata. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 25 — Exceptions v1 | WEB-EXC-25-003 | TODO | Emit exception events/notifications with rate limits. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-001 | TODO | Document reachability concepts and scoring. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-002 | TODO | Document callgraph formats. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-003 | TODO | Document runtime facts ingestion. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-004 | TODO | Document policy weighting for signals. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-005 | TODO | Document UI overlays/timelines. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-006 | TODO | Document CLI reachability commands. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-007 | TODO | Publish API docs for signals endpoints. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DOCS-SIG-26-008 | TODO | Write migration guide for enabling reachability. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DEVOPS-SIG-26-001 | TODO | Provision pipelines/deployments for Signals service. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | DEVOPS-SIG-26-002 | TODO | Add dashboards/alerts for reachability metrics. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | AUTH-SIG-26-001 | TODO | Add signals scopes/roles + AOC requirements. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | CLI-SIG-26-001 | TODO | Implement reachability CLI commands (upload/list/explain). | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | CLI-SIG-26-002 | TODO | Add reachability overrides to policy simulate. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | CONCELIER-SIG-26-001 | TODO | Expose advisory symbol metadata for signals scoring. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | EXCITITOR-SIG-26-001 | TODO | Surface vendor exploitability hints to Signals. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-001 | TODO | Integrate reachability inputs into policy evaluation and explainers. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-002 | TODO | Optimize reachability fact retrieval + cache. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-003 | TODO | Update SPL compiler for reachability predicates. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-ENGINE-80-004 | TODO | Emit reachability metrics/traces. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | POLICY-SPL-24-001 | TODO | Extend SPL schema with reachability predicates/actions. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SCHED-WORKER-26-201 | TODO | Implement reachability joiner worker. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SCHED-WORKER-26-202 | TODO | Implement staleness monitor + notifications. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SIGNALS-24-001 | BLOCKED (2025-10-27) | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. | Signals Guild, Authority Guild | Path: src/Signals/StellaOps.Signals | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SIGNALS-24-002 | BLOCKED (2025-10-27) | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. | Signals Guild | Path: src/Signals/StellaOps.Signals | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SIGNALS-24-003 | BLOCKED (2025-10-27) | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. | Signals Guild | Path: src/Signals/StellaOps.Signals | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SIGNALS-24-004 | BLOCKED (2025-10-27) | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. | Signals Guild | Path: src/Signals/StellaOps.Signals | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | SIGNALS-24-005 | BLOCKED (2025-10-27) | Implement caches + signals events. Downstream of SIGNALS-24-004. | Signals Guild | Path: src/Signals/StellaOps.Signals | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-001 | TODO | Add reachability columns/badges to Vulnerability Explorer. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-002 | TODO | Enhance Why drawer with call path/timeline. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-003 | TODO | Add reachability overlay/time slider to SBOM Graph. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | UI-SIG-26-004 | TODO | Build Reachability Center + missing sensor view. | UI Guild | Path: src/UI/StellaOps.UI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-001 | TODO | Expose signals proxy endpoints with pagination and RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-002 | TODO | Join reachability data into policy/vuln responses. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 26 — Reachability v1 | WEB-SIG-26-003 | TODO | Support reachability overrides in simulate APIs. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | Docs & Policy Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | Docs & Console Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Document `/docs/policy/versioning-and-publishing.md`. | Docs & Policy Registry Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-004 | BLOCKED (2025-10-27) | Publish `/docs/policy/simulation.md` with quick vs batch guidance. | Docs & Scheduler Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Author `/docs/policy/review-and-approval.md`. | Docs & Product Ops | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Publish `/docs/policy/promotion.md` covering canary + rollback. | Docs & Policy Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Update `/docs/policy/cli.md` with new commands + JSON schemas. | Docs & DevEx/CLI Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. | Docs & Policy Registry Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Create `/docs/security/policy-attestations.md`. | Docs & Security Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Write `/docs/architecture/policy-registry.md`. | Docs & Architecture Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | Publish `/docs/observability/policy-telemetry.md`. | Docs & Observability Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | Write `/docs/runbooks/policy-incident.md`. | Docs & Ops Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | Update `/docs/examples/policy-templates.md`. | Docs & Policy Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. | Docs & Policy Registry Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DEPLOY-POLICY-27-001 | TODO | Create Helm/Compose overlays for Policy Registry + workers with signing config. | Deployment & Policy Registry Guilds | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DEPLOY-POLICY-27-002 | TODO | Document policy rollout/rollback playbooks in runbook. | Deployment & Policy Guilds | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DEVOPS-POLICY-27-001 | TODO | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DEVOPS-POLICY-27-002 | TODO | Provide optional batch simulation CI job with drift gating + PR comment. | DevOps & Policy Registry Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DEVOPS-POLICY-27-003 | TODO | Manage signing keys + attestation verification in pipelines. | DevOps & Security Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | DEVOPS-POLICY-27-004 | TODO | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | DevOps & Observability Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | AUTH-POLICY-27-001 | TODO | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | Authority Core Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | AUTH-POLICY-27-002 | TODO | Wire signing service + fresh-auth enforcement for publish/promote. | Authority Core & Security Guilds | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | AUTH-POLICY-27-003 | TODO | Update authority configuration/docs for Policy Studio roles & signing. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | CLI-POLICY-27-001 | TODO | Implement policy workspace CLI commands (init, lint, compile, test). | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | CLI-POLICY-27-002 | TODO | Add version bump, submit, review/approve CLI workflow commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | CLI-POLICY-27-003 | TODO | Extend simulate command for quick/batch runs, manifests, CI reports. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | CLI-POLICY-27-004 | TODO | Implement publish/promote/rollback/sign CLI lifecycle commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | CLI-POLICY-27-005 | TODO | Update CLI docs/reference for Policy Studio commands and schemas. | DevEx/CLI & Docs Guilds | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | POLICY-ENGINE-27-001 | TODO | Return rule coverage, symbol table, docs, hashes from compile endpoint. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | POLICY-ENGINE-27-002 | TODO | Enhance simulate outputs with heatmap, explain traces, delta summaries. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | POLICY-ENGINE-27-003 | TODO | Enforce complexity/time limits with diagnostics. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | POLICY-ENGINE-27-004 | TODO | Update tests/fixtures for coverage, symbol table, explain, complexity. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-001 | TODO | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | Policy Registry Guild | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-002 | TODO | Implement workspace storage + CRUD with tenant retention policies. | Policy Registry Guild | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-003 | TODO | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | Policy Registry Guild | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-004 | TODO | Deliver quick simulation API with limits and deterministic outputs. | Policy Registry Guild | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-005 | TODO | Build batch simulation orchestration, reduction, and evidence bundle storage. | Policy Registry & Scheduler Guilds | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-006 | TODO | Implement review workflow with comments, required approvers, webhooks. | Policy Registry Guild | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-007 | TODO | Ship publish/sign pipeline with attestations, immutable versions. | Policy Registry & Security Guilds | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-008 | TODO | Implement promotion/canary bindings per tenant/environment with rollback. | Policy Registry Guild | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-009 | TODO | Instrument metrics/logs/traces for compile, simulation, approval latency. | Policy Registry & Observability Guilds | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | REGISTRY-API-27-010 | TODO | Build unit/integration/load test suites and seeded fixtures. | Policy Registry & QA Guilds | Path: src/Policy/StellaOps.Policy.Registry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | SCHED-CONSOLE-27-001 | TODO | Provide policy simulation orchestration endpoints with SSE + RBAC. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | SCHED-CONSOLE-27-002 | TODO | Emit policy simulation telemetry endpoints/metrics + webhooks. | Scheduler WebService & Observability Guilds | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | SCHED-WORKER-27-301 | TODO | Implement batch simulation worker sharding SBOMs with retries/backoff. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | SCHED-WORKER-27-302 | TODO | Build reducer job aggregating shard outputs into manifests with checksums. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | SCHED-WORKER-27-303 | TODO | Enforce tenant isolation/attestation integration and secret scanning for jobs. | Scheduler Worker & Security Guilds | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | WEB-POLICY-27-001 | TODO | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | WEB-POLICY-27-002 | TODO | Implement review lifecycle routes with audit logs and webhooks. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | WEB-POLICY-27-003 | TODO | Expose quick/batch simulation endpoints with SSE progress + manifests. | BE-Base Platform & Scheduler Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | WEB-POLICY-27-004 | TODO | Add publish/promote/rollback endpoints with canary + signing enforcement. | BE-Base Platform & Security Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 27 — Policy Studio | WEB-POLICY-27-005 | TODO | Instrument Policy Studio metrics/logs for dashboards. | BE-Base Platform & Observability Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-001 | TODO | Publish `/docs/sbom/graph-explorer-overview.md`. | Docs & SBOM Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-002 | TODO | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. | Docs & Console Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-003 | TODO | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). | Docs & Graph API Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-004 | TODO | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. | Docs & Graph API Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-005 | TODO | Produce `/docs/sbom/graph-cli.md` command reference. | Docs & CLI Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-006 | TODO | Publish `/docs/policy/graph-overlays.md`. | Docs & Policy Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-007 | TODO | Document `/docs/vex/graph-integration.md`. | Docs & Excitor Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-008 | TODO | Document `/docs/advisories/graph-integration.md`. | Docs & Concelier Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-009 | TODO | Author `/docs/architecture/graph-services.md`. | Docs & Architecture Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-010 | TODO | Publish `/docs/observability/graph-telemetry.md`. | Docs & Observability Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-011 | TODO | Write `/docs/runbooks/graph-incidents.md`. | Docs & Ops Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DOCS-GRAPH-28-012 | TODO | Create `/docs/security/graph-rbac.md`. | Docs & Security Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DEPLOY-GRAPH-28-001 | TODO | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DEVOPS-GRAPH-28-001 | TODO | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DEVOPS-GRAPH-28-002 | TODO | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | DevOps & Security Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | DEVOPS-GRAPH-28-003 | TODO | Build dashboards/alerts for tile latency, query denials, memory pressure. | DevOps & Observability Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | CLI-GRAPH-28-001 | TODO | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | CLI-GRAPH-28-002 | TODO | Add saved query management + deep link helpers to CLI. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | CLI-GRAPH-28-003 | TODO | Update CLI docs/examples for Graph Explorer commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | CONCELIER-GRAPH-24-101 | TODO | Deliver advisory summary API feeding graph tooltips. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | CONCELIER-GRAPH-28-102 | TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | WEB-LNM-21-001 | TODO | Provide advisory observation endpoints optimized for graph overlays. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | EXCITITOR-GRAPH-24-101 | TODO | Provide VEX summary API for Graph Explorer inspector overlays. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-001 | TODO | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-002 | TODO | Implement `/graph/search` with caching and RBAC. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-003 | TODO | Build query planner + streaming tile pipeline with budgets. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-004 | TODO | Deliver `/graph/paths` with depth limits and policy overlay support. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-005 | TODO | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-006 | TODO | Compose advisory/VEX/policy overlays with caching + explain sampling. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-007 | TODO | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | Graph API Guild | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-008 | TODO | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | Graph API & Authority Guilds | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-009 | TODO | Instrument metrics/logs/traces; publish dashboards. | Graph API & Observability Guilds | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-010 | TODO | Build unit/integration/load tests with synthetic datasets. | Graph API & QA Guilds | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-API-28-011 | TODO | Ship deployment/offline manifests + gateway integration docs. | Graph API & DevOps Guilds | Path: src/Graph/StellaOps.Graph.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-001 | TODO | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | Graph Indexer Guild | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-002 | TODO | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | Graph Indexer Guild | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-003 | TODO | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | Graph Indexer Guild | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-004 | TODO | Integrate VEX statements for `vex_exempts` edges with precedence metadata. | Graph Indexer Guild | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-005 | TODO | Hydrate policy overlay nodes/edges referencing determinations + explains. | Graph Indexer & Policy Guilds | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-006 | TODO | Produce graph snapshots per SBOM with lineage for diff jobs. | Graph Indexer Guild | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-007 | TODO | Run clustering/centrality background jobs and persist cluster ids. | Graph Indexer & Observability Guilds | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-008 | TODO | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | Graph Indexer Guild | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-009 | TODO | Extend tests/perf fixtures ensuring determinism on large graphs. | Graph Indexer & QA Guilds | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | GRAPH-INDEX-28-010 | TODO | Provide deployment/offline artifacts and docs for Graph Indexer. | Graph Indexer & DevOps Guilds | Path: src/Graph/StellaOps.Graph.Indexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | POLICY-ENGINE-30-001 | TODO | Finalize graph overlay contract + projection API. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | POLICY-ENGINE-30-002 | TODO | Implement simulation overlay bridge for Graph Explorer queries. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | POLICY-ENGINE-30-003 | TODO | Emit change events for effective findings supporting graph overlays. | Policy & Scheduler Guilds | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WEB-21-004 | DOING (2025-10-26) | Persist graph jobs + emit completion events/webhook. | Scheduler WebService Guild, Scheduler Storage Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WORKER-21-201 | TODO | Run graph build worker for SBOM snapshots with retries/backoff. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WORKER-21-202 | TODO | Execute overlay refresh worker subscribing to change events. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | SCHED-WORKER-21-203 | TODO | Emit metrics/logs for graph build/overlay jobs. | Scheduler Worker & Observability Guilds | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | WEB-GRAPH-24-001 | TODO | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | WEB-GRAPH-24-002 | TODO | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 28 — Graph Explorer | WEB-GRAPH-24-004 | TODO | Add Graph Explorer telemetry endpoints and metrics aggregation. | BE-Base Platform & Observability Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-001 | TODO | Publish `/docs/vuln/explorer-overview.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-002 | TODO | Write `/docs/vuln/explorer-using-console.md`. | Docs & Console Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-003 | TODO | Author `/docs/vuln/explorer-api.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-004 | TODO | Publish `/docs/vuln/explorer-cli.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-005 | TODO | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). | Docs & Ledger Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-006 | TODO | Update `/docs/policy/vuln-determinations.md`. | Docs & Policy Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-007 | TODO | Publish `/docs/vex/explorer-integration.md`. | Docs & Excititor Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-008 | TODO | Publish `/docs/advisories/explorer-integration.md`. | Docs & Concelier Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-009 | TODO | Publish `/docs/sbom/vuln-resolution.md`. | Docs & SBOM Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-010 | TODO | Publish `/docs/observability/vuln-telemetry.md`. | Docs & Observability Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-011 | TODO | Publish `/docs/security/vuln-rbac.md`. | Docs & Security Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-012 | TODO | Publish `/docs/runbooks/vuln-ops.md`. | Docs & Ops Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DOCS-VULN-29-013 | TODO | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. | Docs & Deployment Guilds | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DEPLOY-VULN-29-001 | TODO | Provide deployments for Findings Ledger/projector with migrations/backups. | Deployment & Findings Ledger Guilds | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DEPLOY-VULN-29-002 | TODO | Package Vuln Explorer API deployments/health checks/offline kit notes. | Deployment & Vuln Explorer API Guilds | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DEVOPS-VULN-29-001 | TODO | Set up CI/backups/anchoring monitoring for Findings Ledger. | DevOps & Findings Ledger Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DEVOPS-VULN-29-002 | TODO | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | DevOps & Vuln Explorer API Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | DEVOPS-VULN-29-003 | TODO | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | DevOps & Console Guilds | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | AUTH-VULN-29-001 | TODO | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | AUTH-VULN-29-002 | TODO | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | AUTH-VULN-29-003 | TODO | Update docs/config samples for Vuln Explorer roles and security posture. | Authority Core & Docs Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CLI-VULN-29-001 | TODO | Implement `stella vuln list` with grouping, filters, JSON/CSV output. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CLI-VULN-29-002 | TODO | Implement `stella vuln show` with evidence/policy/path display. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CLI-VULN-29-003 | TODO | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CLI-VULN-29-004 | TODO | Implement `stella vuln simulate` producing diff summaries/Markdown. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CLI-VULN-29-005 | TODO | Implement `stella vuln export` and bundle signature verification. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CLI-VULN-29-006 | TODO | Update CLI docs/examples for Vulnerability Explorer commands. | DevEx/CLI & Docs Guilds | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CONCELIER-VULN-29-001 | TODO | Canonicalize (lossless) advisory identifiers, persist `links[]`, backfill, and expose raw payload snapshots (no merge/derived fields). | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CONCELIER-VULN-29-002 | TODO | Provide advisory evidence retrieval endpoint for Vuln Explorer. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | CONCELIER-VULN-29-004 | TODO | Add metrics/logs/events for advisory normalization supporting resolver. | Concelier WebService & Observability Guilds | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | EXCITITOR-VULN-29-001 | TODO | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | EXCITITOR-VULN-29-002 | TODO | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | EXCITITOR-VULN-29-004 | TODO | Instrument metrics/logs for VEX normalization and suppression events. | Excititor WebService & Observability Guilds | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-001 | TODO | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-002 | TODO | Implement ledger write API with hash chaining and Merkle root anchoring job. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-003 | TODO | Build projector worker deriving `findings_projection` with idempotent replay. | Findings Ledger & Scheduler Guilds | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-004 | TODO | Integrate Policy Engine batch evaluation into projector with rationale caching. | Findings Ledger & Policy Guilds | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-005 | TODO | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-006 | TODO | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | Findings Ledger & Security Guilds | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-007 | TODO | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | Findings Ledger & Observability Guilds | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-008 | TODO | Provide replay/determinism/load tests for ledger/projector pipelines. | Findings Ledger & QA Guilds | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | LEDGER-29-009 | TODO | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | Findings Ledger & DevOps Guilds | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | POLICY-ENGINE-29-001 | TODO | Implement policy batch evaluation endpoint returning determinations + rationale. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | POLICY-ENGINE-29-002 | TODO | Provide simulation diff API for Vuln Explorer comparisons. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | POLICY-ENGINE-29-003 | TODO | Include path/scope annotations in determinations for Explorer. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | POLICY-ENGINE-29-004 | TODO | Add telemetry for batch evaluation + simulation jobs. | Policy Guild & Observability Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SBOM-VULN-29-001 | TODO | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SBOM-VULN-29-002 | TODO | Provide resolver feed for candidate generation with idempotent delivery. | SBOM Service & Findings Ledger Guilds | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-VULN-29-001 | TODO | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | Scheduler WebService Guild | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-VULN-29-002 | TODO | Provide projector lag metrics endpoint + webhook notifications. | Scheduler WebService & Observability Guilds | Path: src/Scheduler/StellaOps.Scheduler.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-WORKER-29-001 | TODO | Implement resolver worker applying ecosystem version semantics and path scope. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-WORKER-29-002 | TODO | Implement evaluation worker invoking Policy Engine and updating ledger queues. | Scheduler Worker Guild | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | SCHED-WORKER-29-003 | TODO | Add monitoring for resolver/evaluation backlog and SLA alerts. | Scheduler Worker & Observability Guilds | Path: src/Scheduler/__Libraries/StellaOps.Scheduler.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-001 | TODO | Publish Vuln Explorer OpenAPI + query schemas. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-002 | TODO | Implement list/query endpoints with grouping, paging, cost budgets. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-003 | TODO | Implement detail endpoint combining evidence, policy rationale, paths, history. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-004 | TODO | Expose workflow APIs writing ledger events with validation + idempotency. | Vuln Explorer API & Findings Ledger Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-005 | TODO | Implement policy simulation endpoint producing diffs without side effects. | Vuln Explorer API & Policy Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-006 | TODO | Integrate Graph Explorer paths metadata and deep-link parameters. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-007 | TODO | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | Vuln Explorer API & Security Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-008 | TODO | Provide evidence bundle export job with signing + manifests. | Vuln Explorer API Guild | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-009 | TODO | Instrument API telemetry (latency, workflow counts, exports). | Vuln Explorer API & Observability Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-010 | TODO | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | Vuln Explorer API & QA Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | VULN-API-29-011 | TODO | Ship deployment/offline manifests, health checks, scaling docs. | Vuln Explorer API & DevOps Guilds | Path: src/VulnExplorer/StellaOps.VulnExplorer.Api | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-001 | TODO | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-002 | TODO | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-003 | TODO | Expose simulation/export orchestration with SSE/progress + signed links. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 29 — Vulnerability Explorer | WEB-VULN-29-004 | TODO | Aggregate Vuln Explorer telemetry (latency, errors, exports). | BE-Base Platform & Observability Guilds | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-001 | TODO | Publish `/docs/vex/consensus-overview.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-002 | TODO | Write `/docs/vex/consensus-algorithm.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-003 | TODO | Document `/docs/vex/issuer-directory.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-004 | TODO | Publish `/docs/vex/consensus-api.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-005 | TODO | Create `/docs/vex/consensus-console.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-006 | TODO | Add `/docs/policy/vex-trust-model.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-007 | TODO | Author `/docs/sbom/vex-mapping.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-008 | TODO | Publish `/docs/security/vex-signatures.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | DOCS-VEX-30-009 | TODO | Write `/docs/runbooks/vex-ops.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-009, ISSUER-30-005 | TODO | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-007 | TODO | Implement `stella vex consensus` CLI commands with list/show/simulate/export. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | CONCELIER-VEXLENS-30-001 | TODO | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). | Concelier WebService Guild, VEX Lens Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | EXCITITOR-VULN-29-001 | TODO | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | ISSUER-30-001 | TODO | Implement issuer CRUD API with RBAC and audit logs. | Issuer Directory Guild | Path: src/IssuerDirectory/StellaOps.IssuerDirectory | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | ISSUER-30-002 | TODO | Implement key management endpoints with expiry enforcement. | Issuer Directory & Security Guilds | Path: src/IssuerDirectory/StellaOps.IssuerDirectory | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | ISSUER-30-003 | TODO | Provide trust weight override APIs with audit trails. | Issuer Directory & Policy Guilds | Path: src/IssuerDirectory/StellaOps.IssuerDirectory | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | ISSUER-30-004 | TODO | Integrate issuer data into signature verification clients. | Issuer Directory & VEX Lens Guilds | Path: src/IssuerDirectory/StellaOps.IssuerDirectory | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | ISSUER-30-005 | TODO | Instrument issuer change metrics/logs and dashboards. | Issuer Directory & Observability Guilds | Path: src/IssuerDirectory/StellaOps.IssuerDirectory | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | ISSUER-30-006 | TODO | Provide deployment/backup/offline docs for Issuer Directory. | Issuer Directory & DevOps Guilds | Path: src/IssuerDirectory/StellaOps.IssuerDirectory | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | POLICY-ENGINE-30-101 | TODO | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-001 | TODO | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-002 | TODO | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-003 | TODO | Integrate signature verification using issuer keys; annotate evidence. | VEX Lens & Issuer Directory Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-004 | TODO | Implement trust weighting functions configurable via policy. | VEX Lens & Policy Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-005 | TODO | Implement consensus algorithm producing state, confidence, rationale, and quorum. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-006 | TODO | Materialize consensus projections and change events. | VEX Lens & Findings Ledger Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-007 | TODO | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-008 | TODO | Integrate consensus signals with Policy Engine and Vuln Explorer. | VEX Lens & Policy Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-009 | TODO | Instrument metrics/logs/traces; publish dashboards/alerts. | VEX Lens & Observability Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-010 | TODO | Build unit/property/integration/load tests and determinism harness. | VEX Lens & QA Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | VEXLENS-30-011 | TODO | Provide deployment manifests, scaling guides, offline seeds, runbooks. | VEX Lens & DevOps Guilds | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 30 — VEX Lens | WEB-VEX-30-007 | TODO | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | BE-Base Platform Guild, VEX Lens Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DOCS-AIAI-31-001 | TODO | Publish Advisory AI overview doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DOCS-AIAI-31-002 | TODO | Publish architecture doc for Advisory AI. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DOCS-AIAI-31-003..009 | TODO | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DEPLOY-AIAI-31-001 | TODO | Provide Advisory AI deployment/offline guidance. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | DEVOPS-AIAI-31-001 | TODO | Provision CI/perf/telemetry for Advisory AI. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-001 | TODO | Implement advisory/VEX retrievers with paragraph anchors and citations. | Advisory AI Guild | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-002 | TODO | Build SBOM context retriever and blast radius estimator. | Advisory AI Guild | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-003 | TODO | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | Advisory AI Guild | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-004 | TODO | Orchestrator with task templates, tool chaining, caching. | Advisory AI Guild | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-005 | TODO | Guardrails (redaction, injection defense, output validation). | Advisory AI & Security Guilds | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-006 | TODO | Expose REST/batch APIs with RBAC and OpenAPI. | Advisory AI Guild | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-007 | TODO | Instrument metrics/logs/traces and dashboards. | Advisory AI & Observability Guilds | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-008 | TODO | Package inference + deployment manifests/flags. | Advisory AI & DevOps Guilds | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AIAI-31-009 | TODO | Build golden/injection/perf tests ensuring determinism. | Advisory AI & QA Guilds | Path: src/AdvisoryAI/StellaOps.AdvisoryAI | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AUTH-AIAI-31-001 | TODO | Define Advisory AI scopes and remote inference toggles. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | AUTH-AIAI-31-002 | TODO | Enforce prompt logging and consent/audit flows. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | CLI-AIAI-31-001 | TODO | Implement `stella advise *` CLI commands leveraging Advisory AI orchestration and policy scopes. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | CONCELIER-AIAI-31-001 | TODO | Expose advisory chunk API with paragraph anchors. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | EXCITITOR-AIAI-31-001 | TODO | Provide VEX chunks with justifications and signatures. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | POLICY-ENGINE-31-001 | TODO | Provide policy knobs for Advisory AI. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | SBOM-AIAI-31-001 | TODO | Deliver SBOM path/timeline endpoints for Advisory AI. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | VEXLENS-AIAI-31-001 | TODO | Expose enriched rationale API for conflict explanations. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | VEXLENS-AIAI-31-002 | TODO | Provide batching/caching hooks for Advisory AI. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | WEB-AIAI-31-001 | TODO | Route `/advisory/ai/*` APIs with RBAC/telemetry. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | WEB-AIAI-31-002 | TODO | Provide batch orchestration and retry handling for Advisory AI. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 31 — Advisory AI | WEB-AIAI-31-003 | TODO | Emit Advisory AI gateway telemetry/audit logs. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | DOCS-ORCH-32-001 | TODO | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | DOCS-ORCH-32-002 | TODO | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | DEVOPS-ORCH-32-001 | TODO | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | AUTH-ORCH-32-001 | TODO | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | CONCELIER-ORCH-32-001 | TODO | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | CONCELIER-ORCH-32-002 | TODO | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | EXCITITOR-ORCH-32-001 | TODO | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | Excititor Worker Guild | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | WORKER-GO-32-001 | TODO | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | WORKER-GO-32-002 | TODO | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | WORKER-PY-32-001 | TODO | Bootstrap Python async SDK with job claim/config adapters and sample worker. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | WORKER-PY-32-002 | TODO | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | ORCH-SVC-32-001 | TODO | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | ORCH-SVC-32-002 | TODO | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | ORCH-SVC-32-003 | TODO | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | ORCH-SVC-32-004 | TODO | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | ORCH-SVC-32-005 | TODO | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | POLICY-ENGINE-32-101 | TODO | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | SBOM-ORCH-32-001 | TODO | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 32 — Orchestrator Dashboard | WEB-ORCH-32-001 | TODO | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | DOCS-ORCH-33-001 | TODO | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | DOCS-ORCH-33-002 | TODO | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | DOCS-ORCH-33-003 | TODO | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Governance & Rules | DEVOPS-RULES-33-001 | REVIEW (2025-10-30) | Contracts & Rules anchor (gateway proxy-only; Policy Engine overlays/simulations; AOC ingestion canonicalization; Graph Indexer + Graph API as sole platform). | DevOps Guild, Platform Leads | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | DEVOPS-ORCH-33-001 | TODO | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | AUTH-ORCH-33-001 | TODO | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | CONCELIER-ORCH-33-001 | TODO | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | EXCITITOR-ORCH-33-001 | TODO | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | Excititor Worker Guild | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | WORKER-GO-33-001 | TODO | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | WORKER-GO-33-002 | TODO | Implement error classification/retry helper and structured failure report in Go SDK. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | WORKER-PY-33-001 | TODO | Add artifact publish/idempotency features to Python SDK with object store integration. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | WORKER-PY-33-002 | TODO | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | ORCH-SVC-33-001 | TODO | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | ORCH-SVC-33-002 | TODO | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | ORCH-SVC-33-003 | TODO | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | ORCH-SVC-33-004 | TODO | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | POLICY-ENGINE-33-101 | TODO | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | SBOM-ORCH-33-001 | TODO | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | VEXLENS-ORCH-33-001 | TODO | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 33 — Orchestrator Dashboard | WEB-ORCH-33-001 | TODO | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DOCS-ORCH-34-001 | TODO | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DOCS-ORCH-34-002 | TODO | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DOCS-ORCH-34-003 | TODO | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DOCS-ORCH-34-004 | TODO | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DOCS-ORCH-34-005 | TODO | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DEPLOY-ORCH-34-001 | TODO | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DEVOPS-ORCH-34-001 | TODO | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | DEVOPS-OFFLINE-34-006 | TODO | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | Offline Kit Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | AUTH-ORCH-34-001 | TODO | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | CLI-ORCH-34-001 | TODO | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | CONCELIER-ORCH-34-001 | TODO | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | EXCITITOR-ORCH-34-001 | TODO | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | Excititor Worker Guild | Path: src/Excititor/StellaOps.Excititor.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | LEDGER-34-101 | TODO | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | WORKER-GO-34-001 | TODO | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | WORKER-PY-34-001 | TODO | Add backfill support and deterministic artifact dedupe validation to Python SDK. | Worker SDK Guild | Path: src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | ORCH-SVC-34-001 | TODO | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | ORCH-SVC-34-002 | TODO | Build audit log and immutable run ledger export with signed manifest support. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | ORCH-SVC-34-003 | TODO | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | ORCH-SVC-34-004 | TODO | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | POLICY-ENGINE-34-101 | TODO | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | SBOM-ORCH-34-001 | TODO | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | SBOM Service Guild | Path: src/SbomService/StellaOps.SbomService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | VEXLENS-ORCH-34-001 | TODO | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 34 — Orchestrator Dashboard | WEB-ORCH-34-001 | TODO | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — EPDR Foundations | SCANNER-ANALYZERS-LANG-11-001 | TODO | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | Scanner EPDR Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — EPDR Foundations | SCANNER-ANALYZERS-LANG-11-002 | TODO | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | Scanner EPDR Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — EPDR Foundations | SCANNER-ANALYZERS-LANG-11-003 | TODO | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | Scanner EPDR Guild, Signals Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | DOCS-EXPORT-35-001 | TODO | Author `/docs/modules/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | DOCS-EXPORT-35-002 | TODO | Author `/docs/modules/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | DOCS-EXPORT-35-003 | TODO | Publish `/docs/modules/export-center/profiles.md` covering schemas, examples, and compatibility. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | DEPLOY-EXPORT-35-001 | TODO | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | DEVOPS-EXPORT-35-001 | TODO | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | EXPORT-SVC-35-001 | TODO | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | EXPORT-SVC-35-002 | TODO | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | EXPORT-SVC-35-006 | TODO | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | LEDGER-EXPORT-35-001 | TODO | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | ORCH-SVC-35-101 | TODO | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | POLICY-ENGINE-35-201 | TODO | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | VEXLENS-EXPORT-35-001 | TODO | Publish consensus snapshot API delivering deterministic JSON for export consumption. | VEX Lens Guild | Path: src/VexLens/StellaOps.VexLens | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 35 — Export Center Phase 1 | WEB-EXPORT-35-001 | TODO | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — EPDR Observations | SCANNER-ANALYZERS-LANG-11-004 | TODO | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | Scanner EPDR Guild, SBOM Service Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — EPDR Observations | SCANNER-ANALYZERS-LANG-11-005 | TODO | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | Scanner EPDR Guild, QA Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | DOCS-EXPORT-36-004 | TODO | Author `/docs/modules/export-center/api.md` with endpoint examples and imposed rule note. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | DOCS-EXPORT-36-005 | TODO | Publish `/docs/modules/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | DOCS-EXPORT-36-006 | TODO | Write `/docs/modules/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | DEPLOY-EXPORT-36-001 | TODO | Document registry credentials, OCI push workflows, and automation for export distributions. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | DEVOPS-EXPORT-36-001 | TODO | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | CLI-EXPORT-36-001 | TODO | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | EXPORT-SVC-36-001 | TODO | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | EXPORT-SVC-36-002 | TODO | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | EXPORT-SVC-36-003 | TODO | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | EXPORT-SVC-36-004 | TODO | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | ORCH-SVC-36-101 | TODO | Add distribution job follow-ups, retention metadata, and metrics for export runs. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 36 — Export Center Phase 2 | WEB-EXPORT-36-001 | TODO | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | DOCS-EXPORT-37-001 | TODO | Publish `/docs/modules/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | DOCS-EXPORT-37-002 | TODO | Publish `/docs/modules/export-center/provenance-and-signing.md` covering manifests, attestation, verification. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | DOCS-EXPORT-37-003 | TODO | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | DOCS-EXPORT-37-004 | TODO | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | DEVOPS-EXPORT-37-001 | TODO | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | DEVOPS-OFFLINE-37-001 | TODO | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | Offline Kit Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | AUTH-EXPORT-37-001 | TODO | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | CLI-EXPORT-37-001 | TODO | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | EXPORT-SVC-37-001 | TODO | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | EXPORT-SVC-37-002 | TODO | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | EXPORT-SVC-37-003 | TODO | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | EXPORT-SVC-37-004 | TODO | Provide export verification API and CLI integration, including hash/signature validation endpoints. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | ORCH-SVC-37-101 | TODO | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Export Center Phase 3 | WEB-EXPORT-37-001 | TODO | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Native Analyzer Core | SCANNER-ANALYZERS-NATIVE-20-001 | TODO | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Native Analyzer Core | SCANNER-ANALYZERS-NATIVE-20-002 | TODO | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Native Analyzer Core | SCANNER-ANALYZERS-NATIVE-20-003 | TODO | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Native Analyzer Core | SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Mach-O load command parsing with @rpath expansion and slice handling. | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Native Analyzer Core | SCANNER-ANALYZERS-NATIVE-20-005 | TODO | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 37 — Native Analyzer Core | SCANNER-ANALYZERS-NATIVE-20-006 | TODO | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Native Observation Pipeline | SCANNER-ANALYZERS-NATIVE-20-007 | TODO | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | Native Analyzer Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Native Observation Pipeline | SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | Native Analyzer Guild, QA Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Native Observation Pipeline | SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | Native Analyzer Guild, Signals Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Native Observation Pipeline | SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | Native Analyzer Guild, DevOps Guild | Path: src/Scanner/StellaOps.Scanner.Analyzers.Native | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | DOCS-NOTIFY-38-001 | TODO | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | DEPLOY-NOTIFY-38-001 | TODO | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | DEVOPS-NOTIFY-38-001 | TODO | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | CLI-NOTIFY-38-001 | TODO | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | NOTIFY-SVC-38-001 | TODO | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | NOTIFY-SVC-38-002 | TODO | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | NOTIFY-SVC-38-003 | TODO | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | NOTIFY-SVC-38-004 | TODO | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | ORCH-SVC-38-101 | TODO | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | POLICY-ENGINE-38-201 | TODO | Emit enriched violation events including rationale IDs via orchestrator bus. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 38 — Notifications Studio Phase 1 | WEB-NOTIFY-38-001 | TODO | Route notifier APIs through gateway with tenant scoping and operator scopes. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-001 | TODO | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-002 | TODO | Module/classpath builder with duplicate & split-package detection. | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-003 | TODO | SPI scanner & provider selection with warnings. | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-004 | DONE | Reflection/TCCL heuristics emitting reason-coded edges. | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-005 | TODO | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-006 | TODO | JNI/native hint detection for Java artifacts. | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Java Analyzer Core | SCANNER-ANALYZERS-JAVA-21-007 | TODO | Manifest/signature metadata collector (main/start/agent classes, signers). | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | DOCS-NOTIFY-39-002 | TODO | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | DEVOPS-NOTIFY-39-002 | TODO | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | CLI-NOTIFY-39-001 | TODO | Add simulation/digest CLI verbs and advanced filtering for incidents. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | LEDGER-NOTIFY-39-001 | TODO | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | NOTIFY-SVC-39-001 | TODO | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | NOTIFY-SVC-39-002 | TODO | Add digests generator with Findings Ledger queries and distribution (email/chat). | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | NOTIFY-SVC-39-003 | TODO | Provide simulation engine and API for rule dry-run against historical events. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | NOTIFY-SVC-39-004 | TODO | Integrate quiet hours calendars and default throttles with audit logging. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 39 — Notifications Studio Phase 2 | WEB-NOTIFY-39-001 | TODO | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Java Observation & Runtime | SCANNER-ANALYZERS-JAVA-21-008 | TODO | Observation writer producing entrypoints/components/edges with warnings. | Java Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Java Observation & Runtime | SCANNER-ANALYZERS-JAVA-21-009 | TODO | Fixture suite + determinism/perf benchmarks for Java analyzer. | Java Analyzer Guild, QA Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Java Observation & Runtime | SCANNER-ANALYZERS-JAVA-21-010 | TODO | Optional runtime ingestion via agent/JFR producing runtime edges. | Java Analyzer Guild, Signals Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Java Observation & Runtime | SCANNER-ANALYZERS-JAVA-21-011 | TODO | Package Java analyzer plug-in + Offline Kit/CLI updates. | Java Analyzer Guild, DevOps Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | DOCS-NOTIFY-40-001 | TODO | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | DEPLOY-NOTIFY-40-001 | TODO | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | DEVOPS-NOTIFY-40-001 | TODO | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | DEVOPS-OFFLINE-37-002 | CARRY (no scope change) | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. | Offline Kit Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | AUTH-NOTIFY-40-001 | TODO | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | CLI-NOTIFY-40-001 | TODO | Implement ack token redemption, escalation management, localization previews. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | NOTIFY-SVC-40-001 | TODO | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | NOTIFY-SVC-40-002 | TODO | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | NOTIFY-SVC-40-003 | TODO | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | NOTIFY-SVC-40-004 | TODO | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 40 — Notifications Studio Phase 3 | WEB-NOTIFY-40-001 | TODO | Expose escalation, localization, channel health endpoints and verification of signed links. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | DOCS-CLI-41-001 | TODO | Publish `/docs/modules/cli/guides/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | DEPLOY-CLI-41-001 | TODO | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | DEVOPS-CLI-41-001 | TODO | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | AUTH-PACKS-41-001 | TODO | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | CLI-CORE-41-001 | TODO | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | CLI-PARITY-41-001 | TODO | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | CLI-PARITY-41-002 | TODO | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | ORCH-SVC-41-101 | TODO | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | PACKS-REG-41-001 | TODO | Implement packs index API, signature verification, provenance storage, and RBAC. | Packs Registry Guild | Path: src/PacksRegistry/StellaOps.PacksRegistry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 41 — CLI Parity & Task Packs Phase 1 | TASKRUN-41-001 | TODO | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | DOCS-CLI-42-001 | TODO | Publish `/docs/modules/cli/guides/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | DEVOPS-CLI-42-001 | TODO | Add CLI golden output tests, parity diff automation, and pack run CI harness. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | CLI-PACKS-42-001 | TODO | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | CLI-PARITY-41-001..002 | TODO | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | LEDGER-PACKS-42-001 | TODO | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | ORCH-SVC-42-101 | TODO | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | PACKS-REG-42-001 | TODO | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | Packs Registry Guild | Path: src/PacksRegistry/StellaOps.PacksRegistry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | POLICY-ENGINE-42-201 | TODO | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 42 — CLI Parity & Task Packs Phase 2 | TASKRUN-42-001 | TODO | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | DOCS-PACKS-43-001 | TODO | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | DEVOPS-CLI-43-001 | TODO | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | AUTH-PACKS-41-001 | TODO | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | CLI-PACKS-42-001 | TODO | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | EXPORT-SVC-35-005, PACKS-REG-41-001 | TODO | Integrate pack run manifests into export bundles and CLI verify flows. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | PACKS-REG-42-001 | TODO | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | Packs Registry Guild | Path: src/PacksRegistry/StellaOps.PacksRegistry | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 43 — CLI Parity & Task Packs Phase 3 | TASKRUN-42-001 | TODO | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | DOCS-INSTALL-44-001 | TODO | Publish install overview + Compose Quickstart docs (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | COMPOSE-44-001 | TODO | Deliver Quickstart Compose stack with seed data and quickstart script. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | COMPOSE-44-002 | TODO | Provide backup/reset scripts with guardrails and documentation. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | COMPOSE-44-003 | TODO | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | DEPLOY-COMPOSE-44-001 | TODO | Finalize Quickstart scripts and README. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | DEVOPS-CONTAINERS-44-001 | TODO | Automate multi-arch builds with SBOM/signature pipeline. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | DOCKER-44-001 | TODO | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | DOCKER-44-002 | TODO | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | DOCKER-44-003 | TODO | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 44 — Containerized Distribution Phase 1 | WEB-CONTAINERS-44-001 | TODO | Expose config discovery and quickstart handling with health/version endpoints. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | DOCS-INSTALL-45-001 | TODO | Publish Helm production + configuration reference docs (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | DEPLOY-HELM-45-001 | TODO | Publish Helm install guide and sample values. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | HELM-45-001 | TODO | Scaffold Helm chart with component toggles and pinned digests. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | HELM-45-002 | TODO | Add security features (TLS, NetworkPolicy, Secrets integration). | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | HELM-45-003 | TODO | Implement HPA, PDB, readiness gates, and observability hooks. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | DEVOPS-CONTAINERS-45-001 | TODO | Add Compose/Helm smoke tests to CI. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 45 — Containerized Distribution Phase 2 | WEB-CONTAINERS-45-001 | TODO | Ensure readiness endpoints and config toggles support Helm deployments. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 46 — Containerized Distribution Phase 3 | DOCS-INSTALL-46-001 | TODO | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 46 — Containerized Distribution Phase 3 | DEPLOY-AIRGAP-46-001 | TODO | Provide air-gap load script and docs. | Deployment Guild | Path: ops/deployment | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 46 — Containerized Distribution Phase 3 | DEVOPS-CONTAINERS-46-001 | TODO | Build signed air-gap bundle and verify in CI. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 46 — Containerized Distribution Phase 3 | OFFLINE-CONTAINERS-46-001 | TODO | Include air-gap bundle and instructions in Offline Kit. | Offline Kit Guild | Path: ops/offline-kit | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 46 — Containerized Distribution Phase 3 | WEB-CONTAINERS-46-001 | TODO | Harden offline mode and document fallback behavior. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | DOCS-TEN-47-001 | TODO | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | DEVOPS-TEN-47-001 | TODO | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | AUTH-TEN-47-001 | TODO | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | CLI-TEN-47-001 | TODO | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 47 — Authority-Backed Scopes & Tenancy Phase 1 | WEB-TEN-47-001 | TODO | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | DOCS-TEN-48-001 | TODO | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | DEVOPS-TEN-48-001 | TODO | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | CONCELIER-TEN-48-001 | TODO | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | EXCITITOR-TEN-48-001 | TODO | Same as above for VEX linkers; enforce capability endpoint `merge=false`. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | EXPORT-TEN-48-001 | TODO | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | LEDGER-TEN-48-001 | TODO | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | NOTIFY-TEN-48-001 | TODO | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | ORCH-TEN-48-001 | TODO | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | POLICY-TEN-48-001 | TODO | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | TASKRUN-TEN-48-001 | TODO | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 48 — Authority-Backed Scopes & Tenancy Phase 2 | WEB-TEN-48-001 | TODO | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | DOCS-TEN-49-001 | TODO | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | DEVOPS-TEN-49-001 | TODO | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | AUTH-TEN-49-001 | TODO | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | CLI-TEN-49-001 | TODO | Add service account token minting, delegation, and `--impersonate` banner/controls. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 49 — Authority-Backed Scopes & Tenancy Phase 3 | WEB-TEN-49-001 | TODO | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-INSTALL-50-001 | TODO | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-OBS-50-001 | BLOCKED (2025-10-26) | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-OBS-50-002 | TODO | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-OBS-50-003 | TODO | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-OBS-50-004 | TODO | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DOCS-SEC-OBS-50-001 | TODO | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | DEVOPS-OBS-50-002 | DOING (2025-10-26) | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | AUTH-OBS-50-001 | DOING (2025-11-01) | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | CLI-OBS-50-001 | TODO | Propagate trace headers from CLI commands and print correlation IDs. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | CONCELIER-OBS-50-001 | TODO | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | CONCELIER-WEB-OBS-50-001 | TODO | Adopt telemetry core in Concelier APIs and surface correlation IDs. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | EXCITITOR-OBS-50-001 | TODO | Integrate telemetry core into VEX ingestion/linking with scope metadata. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | EXCITITOR-WEB-OBS-50-001 | TODO | Add telemetry core to VEX APIs and emit trace headers. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | EXPORT-OBS-50-001 | TODO | Enable telemetry core in export planner/workers capturing bundle metadata. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | LEDGER-OBS-50-001 | TODO | Wire telemetry core through ledger writer/projector for append/replay operations. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | ORCH-OBS-50-001 | TODO | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | POLICY-OBS-50-001 | TODO | Instrument policy compile/evaluate flows with telemetry core spans/logs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | TASKRUN-OBS-50-001 | TODO | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | TELEMETRY-OBS-50-001 | TODO | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | TELEMETRY-OBS-50-002 | TODO | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 50 — Observability & Forensics Phase 1 – Baseline Telemetry | WEB-OBS-50-001 | TODO | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | DOCS-OBS-51-001 | TODO | Publish `/docs/observability/metrics-and-slos.md` with alert policies. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | DEVOPS-OBS-51-001 | TODO | Deploy SLO evaluator service, dashboards, and alert routing. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | CLI-OBS-51-001 | TODO | Implement `stella obs top` streaming health metrics command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | CONCELIER-OBS-51-001 | TODO | Emit ingest latency metrics + SLO thresholds for advisories. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | EXCITITOR-OBS-51-001 | TODO | Provide VEX ingest metrics and SLO burn-rate automation. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | EXPORT-OBS-51-001 | TODO | Capture export planner/bundle latency metrics and SLOs. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | LEDGER-OBS-51-001 | TODO | Add ledger/projector metrics dashboards and burn-rate policies. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | NOTIFY-OBS-51-001 | TODO | Ingest SLO burn-rate webhooks and deliver observability alerts. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | ORCH-OBS-51-001 | TODO | Publish orchestration metrics, SLOs, and burn-rate alerts. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | POLICY-OBS-51-001 | TODO | Publish policy evaluation metrics + dashboards meeting SLO targets. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | TASKRUN-OBS-51-001 | TODO | Emit task runner golden-signal metrics and SLO alerts. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | TELEMETRY-OBS-51-001 | TODO | Ship metrics helpers + exemplar guards for golden signals. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | TELEMETRY-OBS-51-002 | TODO | Implement logging scrubbing and tenant debug override controls. | Security Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 51 — Observability & Forensics Phase 2 – SLOs & Dashboards | WEB-OBS-51-001 | TODO | Expose `/obs/health` and `/obs/slo` aggregations for services. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | DOCS-CLI-OBS-52-001 | TODO | Document `stella obs` CLI commands and scripting patterns. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | DOCS-CONSOLE-OBS-52-001 | TODO | Document Console observability hub and trace/log search workflows. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | DOCS-CONSOLE-OBS-52-002 | TODO | Publish Console forensics/timeline guidance with imposed rule banner. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | DEVOPS-OBS-52-001 | TODO | Configure streaming pipelines and schema validation for timeline events. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | CLI-OBS-52-001 | TODO | Add `stella obs trace` + log commands correlating timeline data. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | CONCELIER-OBS-52-001 | TODO | Emit advisory ingest/link timeline events with provenance metadata. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | CONCELIER-WEB-OBS-52-001 | TODO | Provide SSE bridge for advisory timeline events. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | EXCITITOR-OBS-52-001 | TODO | Emit VEX ingest/link timeline events with justification info. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | EXCITITOR-WEB-OBS-52-001 | TODO | Stream VEX timeline updates to clients with tenant filters. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | EXPORT-OBS-52-001 | TODO | Publish export lifecycle events into timeline. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | LEDGER-OBS-52-001 | TODO | Record ledger append/projection events into timeline stream. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | ORCH-OBS-52-001 | TODO | Emit job lifecycle timeline events with tenant/project metadata. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | POLICY-OBS-52-001 | TODO | Emit policy decision timeline events with rule summaries and trace IDs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | TASKRUN-OBS-52-001 | TODO | Emit pack run timeline events and dedupe logic. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | TIMELINE-OBS-52-001 | TODO | Bootstrap timeline indexer service and schema with RLS scaffolding. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline with ordering and dedupe. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | TIMELINE-OBS-52-003 | TODO | Expose timeline query APIs with tenant filters and pagination. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | TIMELINE-OBS-52-004 | TODO | Finalize RLS + scope enforcement and audit logging for timeline reads. | Security Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 52 — Observability & Forensics Phase 3 – Timeline & Decision Logs | WEB-OBS-52-001 | TODO | Provide trace/log proxy endpoints bridging to timeline + log store. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | DOCS-CLI-FORENSICS-53-001 | TODO | Document `stella forensic` CLI workflows with sample bundles. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | DOCS-FORENSICS-53-001 | TODO | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | DOCS-FORENSICS-53-003 | TODO | Publish `/docs/forensics/timeline.md` with schema and query examples. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | DEVOPS-OBS-53-001 | TODO | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | CLI-FORENSICS-53-001 | TODO | Ship `stella forensic snapshot` commands invoking evidence locker. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | CONCELIER-OBS-53-001 | TODO | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | CONCELIER-WEB-OBS-53-001 | TODO | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | EVID-OBS-53-001 | TODO | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | EVID-OBS-53-002 | TODO | Implement bundle builders for evaluation, job, and export snapshots. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | EVID-OBS-53-003 | TODO | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | EXCITITOR-OBS-53-001 | TODO | Produce VEX evidence payloads and push to locker. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | EXCITITOR-WEB-OBS-53-001 | TODO | Expose `/evidence/vex/*` endpoints retrieving locker bundles. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | EXPORT-OBS-53-001 | TODO | Store export manifests + transcripts within evidence bundles. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | LEDGER-OBS-53-001 | TODO | Persist evidence bundle references alongside ledger entries and expose lookup API. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | ORCH-OBS-53-001 | TODO | Attach job capsules + manifests to evidence locker snapshots. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | POLICY-OBS-53-001 | TODO | Build evaluation evidence bundles (inputs, rule traces, engine version). | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | TASKRUN-OBS-53-001 | TODO | Capture step transcripts and manifests into evidence bundles. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 53 — Observability & Forensics Phase 4 – Evidence Locker | TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | Timeline Indexer Guild | Path: src/TimelineIndexer/StellaOps.TimelineIndexer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | DOCS-FORENSICS-53-002 | TODO | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | DEVOPS-OBS-54-001 | TODO | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | CLI-FORENSICS-54-001 | TODO | Implement `stella forensic verify` command verifying bundles + signatures. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | CLI-FORENSICS-54-002 | TODO | Add `stella forensic attest show` command with signer/timestamp details. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | CONCELIER-OBS-54-001 | TODO | Sign advisory batches with DSSE attestations and expose verification. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | CONCELIER-WEB-OBS-54-001 | TODO | Add `/attestations/advisories/*` endpoints surfacing verification metadata. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | EVID-OBS-54-001 | TODO | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | EVID-OBS-54-002 | TODO | Provide bundle packaging + offline verification fixtures. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | EXCITITOR-OBS-54-001 | TODO | Produce VEX batch attestations linking to timeline/ledger. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | EXCITITOR-WEB-OBS-54-001 | TODO | Expose `/attestations/vex/*` endpoints with verification summaries. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | EXPORT-OBS-54-001 | TODO | Produce export attestation manifests and CLI verification hooks. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | ORCH-OBS-54-001 | TODO | Produce DSSE attestations for jobs and surface verification endpoint. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | POLICY-OBS-54-001 | TODO | Generate DSSE attestations for policy evaluations and expose verification API. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | PROV-OBS-53-001 | TODO | Implement DSSE/SLSA models with deterministic serializer + test vectors. | Provenance Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | PROV-OBS-53-002 | TODO | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | Provenance Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | PROV-OBS-54-001 | TODO | Deliver verification library validating DSSE signatures + Merkle roots. | Provenance Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | PROV-OBS-54-002 | TODO | Package provenance verification tool for CLI integration and offline use. | Provenance Guild, DevEx/CLI Guild | Path: src/Provenance/StellaOps.Provenance.Attestation | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 54 — Observability & Forensics Phase 5 – Provenance & Verification | TASKRUN-OBS-54-001 | TODO | Generate pack run attestations and link to timeline/evidence. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | DOCS-RUNBOOK-55-001 | TODO | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | DEVOPS-OBS-55-001 | TODO | Automate incident mode activation via SLO alerts, retention override management, and reset job. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | AUTH-OBS-55-001 | DOING (2025-11-01) | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | CLI-OBS-55-001 | TODO | Ship `stella obs incident-mode` commands with safeguards and audit logging. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | CONCELIER-OBS-55-001 | TODO | Increase sampling and raw payload retention under incident mode with redaction guards. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | CONCELIER-WEB-OBS-55-001 | TODO | Provide incident mode toggle endpoints and propagate to services. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | EVID-OBS-55-001 | TODO | Extend evidence retention + activation events for incident windows. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | EXCITITOR-OBS-55-001 | TODO | Enable incident sampling + retention overrides for VEX pipelines. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | EXCITITOR-WEB-OBS-55-001 | TODO | Add incident mode APIs for VEX services with audit + guardrails. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | EXPORT-OBS-55-001 | TODO | Increase export telemetry + debug retention during incident mode and emit events. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | LEDGER-OBS-55-001 | TODO | Extend retention and diagnostics capture during incident mode. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | NOTIFY-OBS-55-001 | TODO | Send incident mode start/stop notifications with quick links to evidence/timeline. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | ORCH-OBS-55-001 | TODO | Increase telemetry + evidence capture during incident mode and emit activation events. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | POLICY-OBS-55-001 | TODO | Capture full rule traces + retention bump on incident activation with timeline events. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | TASKRUN-OBS-55-001 | TODO | Capture extra debug data + notifications for incident mode runs. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | TELEMETRY-OBS-55-001 | TODO | Implement incident mode sampling toggle API with activation audit trail. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 55 — Observability & Forensics Phase 6 – Incident Mode | WEB-OBS-55-001 | TODO | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DOCS-AIRGAP-56-001 | TODO | Publish `/docs/airgap/overview.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DOCS-AIRGAP-56-002 | TODO | Document sealing and egress controls. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DOCS-AIRGAP-56-003 | TODO | Publish mirror bundles guide. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DOCS-AIRGAP-56-004 | TODO | Publish bootstrap pack guide. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DEVOPS-AIRGAP-56-001 | TODO | Publish deny-all egress policies and verification script for sealed environments. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DEVOPS-AIRGAP-56-002 | TODO | Provide bundle staging/import scripts for air-gapped object stores. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | DEVOPS-AIRGAP-56-003 | TODO | Build Bootstrap Pack pipeline bundling images/charts with checksums. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | AIRGAP-CTL-56-001 | TODO | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | AirGap Controller Guild | Path: src/AirGap/StellaOps.AirGap.Controller | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | AIRGAP-CTL-56-002 | TODO | Expose seal/status APIs with policy hash validation and staleness placeholders. | AirGap Controller Guild | Path: src/AirGap/StellaOps.AirGap.Controller | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | AIRGAP-IMP-56-001 | TODO | Implement DSSE/TUF/Merkle verification helpers. | AirGap Importer Guild | Path: src/AirGap/StellaOps.AirGap.Importer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | AIRGAP-IMP-56-002 | TODO | Enforce root rotation policy for bundles. | AirGap Importer Guild | Path: src/AirGap/StellaOps.AirGap.Importer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | AIRGAP-POL-56-001 | TODO | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | AIRGAP-POL-56-002 | TODO | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | CLI-AIRGAP-56-001 | TODO | Implement mirror create/verify and airgap verify commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | CLI-OBS-50-001 | TODO | Ensure telemetry propagation for sealed logging. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | CONCELIER-AIRGAP-56-001 | TODO | Add mirror ingestion adapters preserving source metadata. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | EXCITITOR-AIRGAP-56-001 | TODO | Add VEX mirror ingestion adapters. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | EXPORT-AIRGAP-56-001 | TODO | Extend export center to build mirror bundles. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | MIRROR-CRT-56-001 | TODO | Build deterministic bundle assembler (advisories/vex/policy). | Mirror Creator Guild | Path: src/Mirror/StellaOps.Mirror.Creator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | ORCH-AIRGAP-56-001 | TODO | Validate jobs against sealed-mode restrictions. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | POLICY-AIRGAP-56-001 | TODO | Accept policy packs from bundles with provenance tracking. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | TASKRUN-AIRGAP-56-001 | TODO | Enforce sealed-mode plan validation for network calls. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | TELEMETRY-OBS-56-001 | TODO | (Carry) Extend telemetry core with sealed-mode hooks before integration. | Observability Guild | Path: src/Telemetry/StellaOps.Telemetry.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 56 — Air-Gapped Mode Phase 1 – Sealing Foundations | WEB-OBS-56-001 | TODO | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | DOCS-AIRGAP-57-001 | TODO | Publish staleness/time doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | DOCS-AIRGAP-57-002 | TODO | Publish console airgap doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | DOCS-AIRGAP-57-003 | TODO | Publish CLI airgap doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | DOCS-AIRGAP-57-004 | TODO | Publish airgap operations runbook. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | DEVOPS-AIRGAP-57-001 | TODO | Automate mirror bundle creation with approvals. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | DEVOPS-AIRGAP-57-002 | TODO | Run sealed-mode CI suite enforcing zero egress. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | AIRGAP-IMP-57-001 | TODO | Implement bundle catalog with RLS + migrations. | AirGap Importer Guild | Path: src/AirGap/StellaOps.AirGap.Importer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | AIRGAP-IMP-57-002 | TODO | Load artifacts into object store with checksum verification. | AirGap Importer Guild | Path: src/AirGap/StellaOps.AirGap.Importer | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | AIRGAP-POL-57-001 | TODO | Adopt EgressPolicy in core services. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | AIRGAP-POL-57-002 | TODO | Enforce Task Runner job plan validation. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | AIRGAP-TIME-57-001 | TODO | Parse signed time tokens and expose normalized anchors. | AirGap Time Guild | Path: src/AirGap/StellaOps.AirGap.Time | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | CLI-AIRGAP-57-001 | TODO | Complete airgap import CLI with diff preview. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | CLI-AIRGAP-57-002 | TODO | Ship seal/status CLI commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | EXPORT-AIRGAP-56-002 | TODO | Deliver bootstrap pack artifacts. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | MIRROR-CRT-57-001 | TODO | Add OCI image support to mirror bundles. | Mirror Creator Guild | Path: src/Mirror/StellaOps.Mirror.Creator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | MIRROR-CRT-57-002 | TODO | Embed signed time anchors in bundles. | Mirror Creator Guild | Path: src/Mirror/StellaOps.Mirror.Creator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | NOTIFY-AIRGAP-56-001 | TODO | Lock notifications to enclave-safe channels. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ORCH-AIRGAP-56-002 | TODO | Integrate sealing status + staleness into scheduling. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | TASKRUN-AIRGAP-56-002 | TODO | Provide bundle ingestion helper steps. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | DOCS-AIRGAP-58-001 | TODO | Publish degradation matrix doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | DOCS-AIRGAP-58-002 | TODO | Update trust & signing doc for DSSE/TUF roots. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | DOCS-AIRGAP-58-003 | TODO | Publish developer airgap contracts doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | DOCS-AIRGAP-58-004 | TODO | Document portable evidence workflows. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | AIRGAP-CTL-58-001 | TODO | Persist time anchor data and expose drift metrics. | AirGap Controller Guild | Path: src/AirGap/StellaOps.AirGap.Controller | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | AIRGAP-POL-58-001 | TODO | Disable remote observability exporters in sealed mode. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | AIRGAP-POL-58-002 | TODO | Add CLI sealed-mode guard. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | AIRGAP-TIME-58-001 | TODO | Compute drift/staleness metrics and surface via controller status. | AirGap Time Guild | Path: src/AirGap/StellaOps.AirGap.Time | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | AIRGAP-TIME-58-002 | TODO | Emit notifications/events for staleness budgets. | AirGap Time Guild | Path: src/AirGap/StellaOps.AirGap.Time | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | CLI-AIRGAP-58-001 | TODO | Ship portable evidence export helper. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | CONCELIER-AIRGAP-57-002 | TODO | Annotate advisories with staleness metadata. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | EXCITITOR-AIRGAP-57-002 | TODO | Annotate VEX statements with staleness metadata. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | EXPORT-AIRGAP-57-001 | TODO | Add portable evidence export integration. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | NOTIFY-AIRGAP-57-001 | TODO | Notify on drift/staleness thresholds. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | ORCH-AIRGAP-58-001 | TODO | Link import/export jobs to timeline/evidence. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | POLICY-AIRGAP-57-002 | TODO | Show degradation fallback info in explain traces. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 – Staleness & Enforcement | TASKRUN-AIRGAP-58-001 | TODO | Capture import job evidence transcripts. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | CONCELIER-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standard errors. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standard errors. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | EXPORT-AIRGAP-58-001 | TODO | Emit notifications/timeline for bundle readiness. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | LEDGER-AIRGAP-56-002 | TODO | Enforce staleness thresholds for findings exports. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | NOTIFY-AIRGAP-58-001 | TODO | Notify on portable evidence exports. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | ORCH-AIRGAP-57-001 | TODO | Automate mirror bundle job scheduling with audit provenance. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | POLICY-AIRGAP-57-001 | TODO | Enforce sealed-mode guardrails inside evaluation engine. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 59 — Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | TASKRUN-AIRGAP-57-001 | TODO | Block execution when seal state mismatched; emit timeline events. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | DOCS-AIRGAP-58-004 | TODO | Document portable evidence workflows. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | CLI-AIRGAP-58-001 | TODO | Finalize portable evidence CLI workflow with verification. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | CONCELIER-WEB-AIRGAP-58-001 | TODO | Emit timeline events for bundle imports. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | EVID-OBS-60-001 | TODO | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. | Evidence Locker Guild | Path: src/EvidenceLocker/StellaOps.EvidenceLocker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | LEDGER-AIRGAP-57-001 | TODO | Link findings to portable evidence bundles. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | NOTIFY-AIRGAP-58-001 | TODO | (Carry) Portable evidence notifications. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 60 — Air-Gapped Mode Phase 5 – Evidence Portability & UX | POLICY-AIRGAP-58-001 | TODO | Notify on stale policy packs and guide remediation. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | DOCS-OAS-61-001 | TODO | Publish `/docs/api/overview.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | DOCS-OAS-61-002 | TODO | Publish `/docs/api/conventions.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | DOCS-OAS-61-003 | TODO | Publish `/docs/api/versioning.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | DEVOPS-OAS-61-001 | TODO | Add OAS lint/validation/diff stages to CI. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | APIGOV-61-001 | TODO | Configure lint rules and CI enforcement. | API Governance Guild | Path: src/Api/StellaOps.Api.Governance | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | APIGOV-61-002 | TODO | Enforce example coverage in CI. | API Governance Guild | Path: src/Api/StellaOps.Api.Governance | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | OAS-61-001 | TODO | Scaffold per-service OpenAPI skeletons with shared components. | API Contracts Guild | Path: src/Api/StellaOps.Api.OpenApi | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | OAS-61-002 | TODO | Build aggregate composer and integrate into CI. | API Contracts Guild | Path: src/Api/StellaOps.Api.OpenApi | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | AUTH-OAS-61-001 | TODO | Document Authority authentication APIs in OAS. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | AUTH-OAS-61-002 | TODO | Provide Authority discovery endpoint. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | CONCELIER-OAS-61-001 | TODO | Update advisory OAS coverage. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | CONCELIER-OAS-61-002 | TODO | Populate advisory examples. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | CONCELIER-WEB-OAS-61-001 | TODO | Implement Concelier discovery endpoint. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | CONCELIER-WEB-OAS-61-002 | TODO | Standardize error envelope. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | EXCITITOR-OAS-61-001 | TODO | Update VEX OAS coverage. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | EXCITITOR-OAS-61-002 | TODO | Provide VEX examples. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | EXCITITOR-WEB-OAS-61-001 | TODO | Implement discovery endpoint. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | EXCITITOR-WEB-OAS-61-002 | TODO | Migrate errors to standard envelope. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | EXPORT-OAS-61-001 | TODO | Update Exporter spec coverage. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | EXPORT-OAS-61-002 | TODO | Implement Exporter discovery endpoint. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | LEDGER-OAS-61-001 | TODO | Expand Findings Ledger spec coverage. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | LEDGER-OAS-61-002 | TODO | Provide ledger discovery endpoint. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | NOTIFY-OAS-61-001 | TODO | Update notifier spec coverage. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | NOTIFY-OAS-61-002 | TODO | Implement notifier discovery endpoint. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | ORCH-OAS-61-001 | TODO | Extend Orchestrator spec coverage. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | ORCH-OAS-61-002 | TODO | Provide orchestrator discovery endpoint. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | TASKRUN-OAS-61-001 | TODO | Document Task Runner APIs in OAS. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | TASKRUN-OAS-61-002 | TODO | Expose Task Runner discovery endpoint. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | WEB-OAS-61-001 | TODO | Implement gateway discovery endpoint. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 61 — SDKs & OpenAPI Phase 1 – Contract Foundations | WEB-OAS-61-002 | TODO | Standardize error envelope across gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DOCS-CONTRIB-62-001 | TODO | Publish API contracts contributing guide. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DOCS-DEVPORT-62-001 | TODO | Document dev portal publishing. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DOCS-OAS-62-001 | TODO | Deploy `/docs/api/reference/` generated site. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DOCS-SDK-62-001 | TODO | Publish SDK overview + language guides. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DOCS-SEC-62-001 | TODO | Update auth scopes documentation. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DOCS-TEST-62-001 | TODO | Publish contract testing doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | APIGOV-62-001 | TODO | Implement compatibility diff tool. | API Governance Guild | Path: src/Api/StellaOps.Api.Governance | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | OAS-62-001 | TODO | Populate examples for top endpoints. | API Contracts Guild | Path: src/Api/StellaOps.Api.OpenApi | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | AUTH-OAS-62-001 | TODO | Provide SDK auth helpers/tests. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | CLI-SDK-62-001 | TODO | Migrate CLI to official SDK. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | CLI-SDK-62-002 | TODO | Update CLI error handling for new envelope. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | CONCELIER-OAS-62-001 | TODO | Add SDK smoke tests for advisory APIs. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | CONCELIER-WEB-OAS-62-001 | TODO | Add advisory API examples. | Concelier WebService Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DEVPORT-62-001 | TODO | Build static generator with nav/search. | Developer Portal Guild | Path: src/DevPortal/StellaOps.DevPortal.Site | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | DEVPORT-62-002 | TODO | Add schema viewer, examples, version selector. | Developer Portal Guild | Path: src/DevPortal/StellaOps.DevPortal.Site | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | EXCITITOR-OAS-62-001 | TODO | Add SDK tests for VEX APIs. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | EXCITITOR-WEB-OAS-62-001 | TODO | Provide VEX API examples. | Excititor WebService Guild | Path: src/Excititor/StellaOps.Excititor.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | EXPORT-OAS-62-001 | TODO | Ensure SDK streaming helpers for exports. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | LEDGER-OAS-62-001 | TODO | Provide SDK tests for ledger APIs. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | NOTIFY-OAS-62-001 | TODO | Provide SDK examples for notifier APIs. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | SDKGEN-62-001 | TODO | Establish generator framework. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | SDKGEN-62-002 | TODO | Implement shared post-processing helpers. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | TASKRUN-OAS-62-001 | TODO | Provide SDK examples for pack runs. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | WEB-OAS-62-001 | TODO | Align pagination/idempotency behaviors. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | CONTR-62-001 | TODO | Generate mock server fixtures. | Contract Testing Guild | Path: test/contract | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 62 — SDKs & OpenAPI Phase 2 – Examples & Portal | CONTR-62-002 | TODO | Integrate mock server into CI. | Contract Testing Guild | Path: test/contract | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | DOCS-TEST-62-001 | TODO | (Carry) ensure contract testing doc final. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | APIGOV-63-001 | TODO | Integrate compatibility diff gating. | API Governance Guild | Path: src/Api/StellaOps.Api.Governance | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | OAS-63-001 | TODO | Compatibility diff support. | API Contracts Guild | Path: src/Api/StellaOps.Api.OpenApi | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | OAS-63-002 | TODO | Define discovery schema metadata. | API Contracts Guild | Path: src/Api/StellaOps.Api.OpenApi | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | CLI-SDK-63-001 | TODO | Add CLI spec download command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | DEVPORT-63-001 | TODO | Add Try-It console. | Developer Portal Guild | Path: src/DevPortal/StellaOps.DevPortal.Site | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | DEVPORT-63-002 | TODO | Embed SDK snippets/quick starts. | Developer Portal Guild | Path: src/DevPortal/StellaOps.DevPortal.Site | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | SDKGEN-63-001 | TODO | Release TypeScript SDK alpha. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | SDKGEN-63-002 | TODO | Release Python SDK alpha. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | SDKGEN-63-003 | TODO | Release Go SDK alpha. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | SDKGEN-63-004 | TODO | Release Java SDK alpha. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | SDKREL-63-001 | TODO | Configure SDK release pipelines. | SDK Release Guild | Path: src/Sdk/StellaOps.Sdk.Release | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | SDKREL-63-002 | TODO | Automate changelogs from OAS diffs. | SDK Release Guild | Path: src/Sdk/StellaOps.Sdk.Release | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | CONTR-63-001 | TODO | Build replay harness for drift detection. | Contract Testing Guild | Path: test/contract | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 63 — SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | CONTR-63-002 | TODO | Emit contract testing metrics. | Contract Testing Guild | Path: test/contract | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DOCS-AIRGAP-DEVPORT-64-001 | TODO | Document devportal offline usage. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DEVOPS-DEVPORT-63-001 | TODO | Automate developer portal pipeline. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DEVOPS-DEVPORT-64-001 | TODO | Schedule offline bundle builds. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DEVPORT-64-001 | TODO | Offline portal build. | Developer Portal Guild | Path: src/DevPortal/StellaOps.DevPortal.Site | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DEVPORT-64-002 | TODO | Add accessibility/performance checks. | Developer Portal Guild | Path: src/DevPortal/StellaOps.DevPortal.Site | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DVOFF-64-001 | TODO | Implement devportal offline export job. | DevPortal Offline Guild | Path: src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | DVOFF-64-002 | TODO | Provide verification CLI. | DevPortal Offline Guild | Path: src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | SDKGEN-64-001 | TODO | Migrate CLI to SDK. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | SDKGEN-64-002 | TODO | Integrate SDKs into Console. | SDK Generator Guild | Path: src/Sdk/StellaOps.Sdk.Generator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | SDKREL-64-001 | TODO | Hook SDK releases to Notifications. | SDK Release Guild | Path: src/Sdk/StellaOps.Sdk.Release | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 64 — SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | SDKREL-64-002 | TODO | Produce devportal offline bundle. | SDK Release Guild | Path: src/Sdk/StellaOps.Sdk.Release | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | DOCS-AIRGAP-DEVPORT-64-001 | TODO | (Carry) ensure offline doc published; update as necessary. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | APIGOV-63-001 | TODO | (Carry) compatibility gating monitoring. | API Governance Guild | Path: src/Api/StellaOps.Api.Governance | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | AUTH-OAS-63-001 | DONE (2025-11-01) | Deprecation headers for auth endpoints. | Authority Core & Security Guild | Path: src/Authority/StellaOps.Authority | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | CLI-SDK-64-001 | TODO | SDK update awareness command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | CONCELIER-OAS-63-001 | TODO | Deprecation metadata for Concelier APIs. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | EXCITITOR-OAS-63-001 | TODO | Deprecation metadata for VEX APIs. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | EXPORT-OAS-63-001 | TODO | Deprecation headers for exporter APIs. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | LEDGER-OAS-63-001 | TODO | Deprecation headers for ledger APIs. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | NOTIFY-OAS-63-001 | TODO | Emit deprecation notifications. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | ORCH-OAS-63-001 | TODO | Add orchestrator deprecation headers. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | SDKREL-64-001 | TODO | Production rollout of notifications feed. | SDK Release Guild | Path: src/Sdk/StellaOps.Sdk.Release | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | TASKRUN-OAS-63-001 | TODO | Add Task Runner deprecation headers. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 65 — SDKs & OpenAPI Phase 5 – Deprecation & Notifications | WEB-OAS-63-001 | TODO | Implement deprecation headers in gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | DOCS-RISK-66-001 | TODO | Publish `/docs/risk/overview.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | DOCS-RISK-66-002 | TODO | Publish `/docs/risk/profiles.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | DOCS-RISK-66-003 | TODO | Publish `/docs/risk/factors.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | DOCS-RISK-66-004 | TODO | Publish `/docs/risk/formulas.md`. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | CLI-RISK-66-001 | TODO | Implement CLI profile management commands. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | CLI-RISK-66-002 | TODO | Implement CLI simulation command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | CONCELIER-RISK-66-001 | TODO | Expose CVSS/KEV provider data. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | CONCELIER-RISK-66-002 | TODO | Provide fix availability signals. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | EXCITITOR-RISK-66-001 | TODO | Supply VEX gating data to risk engine. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | EXCITITOR-RISK-66-002 | TODO | Provide reachability inputs. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | LEDGER-RISK-66-001 | TODO | Add risk scoring columns/indexes. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | LEDGER-RISK-66-002 | TODO | Implement deterministic scoring upserts. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | NOTIFY-RISK-66-001 | TODO | Create risk severity alert templates. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | POLICY-RISK-66-003 | TODO | Integrate schema validation into Policy Engine. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | POLICY-RISK-66-001 | TODO | Deliver RiskProfile schema + validators. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | POLICY-RISK-66-002 | TODO | Implement inheritance/merge and hashing. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | POLICY-RISK-66-004 | TODO | Extend Policy libraries for RiskProfile handling. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | RISK-ENGINE-66-001 | TODO | Scaffold risk engine queue/worker/registry. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | RISK-ENGINE-66-002 | TODO | Implement transforms/gates/contribution calculator. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | WEB-RISK-66-001 | TODO | Expose risk API routing in gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 66 — Risk Profiles Phase 1 – Foundations | WEB-RISK-66-002 | TODO | Handle explainability downloads. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-001 | TODO | Publish explainability doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-002 | TODO | Publish risk API doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-003 | TODO | Publish console risk UI doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | DOCS-RISK-67-004 | TODO | Publish CLI risk doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | CLI-RISK-67-001 | TODO | Provide risk results query command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | CONCELIER-RISK-67-001 | TODO | Add source consensus metrics. | Concelier Core Guild | Path: src/Concelier/__Libraries/StellaOps.Concelier.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | EXCITITOR-RISK-67-001 | TODO | Add VEX explainability metadata. | Excititor Core Guild | Path: src/Excititor/__Libraries/StellaOps.Excititor.Core | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | NOTIFY-RISK-67-001 | TODO | Notify on profile publish/deprecate. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | NOTIFY-RISK-68-001 | TODO | (Prep) risk routing settings seeds. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | POLICY-RISK-67-001 | TODO | Enqueue scoring on new findings. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | POLICY-RISK-67-002 | TODO | Deliver profile lifecycle APIs. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | POLICY-RISK-67-001 | TODO | Integrate profiles into policy store lifecycle. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | POLICY-RISK-67-002 | TODO | Publish schema endpoint + validation tooling. | Risk Profile Schema Guild | Path: src/Policy/StellaOps.Policy.RiskProfile | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | POLICY-RISK-67-003 | TODO | Provide simulation orchestration APIs. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | RISK-ENGINE-67-001 | TODO | Integrate CVSS/KEV providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | RISK-ENGINE-67-002 | TODO | Integrate VEX gate provider. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | RISK-ENGINE-67-003 | TODO | Add fix availability/criticality/exposure providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 67 — Risk Profiles Phase 2 – Providers & Lifecycle | WEB-RISK-67-001 | TODO | Provide risk status endpoint. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | DOCS-RISK-68-001 | TODO | Publish risk bundle doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | DOCS-RISK-68-002 | TODO | Update AOC invariants doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | CLI-RISK-68-001 | TODO | Add risk bundle verification command. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | LEDGER-RISK-67-001 | TODO | Provide scored findings query API. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | LEDGER-RISK-68-001 | TODO | Enable scored findings export. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | NOTIFY-RISK-68-001 | TODO | Configure risk notification routing UI/logic. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | POLICY-RISK-68-001 | TODO | Ship simulation API endpoint. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | POLICY-RISK-68-002 | TODO | Support profile export/import. | Policy Guild | Path: src/Policy/__Libraries/StellaOps.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | RISK-ENGINE-68-001 | TODO | Persist scoring results & explanations. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | RISK-ENGINE-68-002 | TODO | Expose jobs/results/explanations APIs. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 68 — Risk Profiles Phase 3 – APIs & Ledger | WEB-RISK-68-001 | TODO | Emit severity transition events via gateway. | BE-Base Platform Guild | Path: src/Web/StellaOps.Web | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | DOCS-RISK-67-001..004 | TODO | (Carry) ensure docs updated from simulation release. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | RISK-BUNDLE-69-001 | TODO | Build risk bundle. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | RISK-BUNDLE-69-002 | TODO | Integrate bundle into pipelines. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | EXPORT-RISK-69-002 | TODO | Enable simulation report exports. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | NOTIFY-RISK-66-001 | TODO | (Completion) finalize severity alert templates. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | RISK-ENGINE-69-001 | TODO | Implement simulation mode. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 69 — Risk Profiles Phase 4 – Simulation & Reporting | RISK-ENGINE-69-002 | TODO | Add telemetry/metrics dashboards. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | DOCS-RISK-68-001 | TODO | (Carry) finalize risk bundle doc after verification CLI. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | RISK-BUNDLE-70-001 | TODO | Provide bundle verification CLI. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | RISK-BUNDLE-70-002 | TODO | Publish documentation. | Risk Bundle Export Guild | Path: src/ExportCenter/StellaOps.ExportCenter.RiskBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | EXPORT-RISK-70-001 | TODO | Integrate risk bundle into offline kit. | Exporter Service Guild | Path: src/ExportCenter/StellaOps.ExportCenter | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | NOTIFY-RISK-68-001 | TODO | Finalize risk alert routing UI. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | RISK-ENGINE-70-001 | TODO | Support offline provider bundles. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 70 — Risk Profiles Phase 5 – Air-Gap & Advanced Factors | RISK-ENGINE-70-002 | TODO | Integrate runtime/reachability providers. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 71 — Risk Profiles Phase 6 – Quality & Performance | DOCS-RISK-67-001..68-002 | TODO | Final editorial pass on risk documentation set. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 71 — Risk Profiles Phase 6 – Quality & Performance | CLI-RISK-66-001..68-001 | TODO | Harden CLI commands with integration tests and error handling. | DevEx/CLI Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 71 — Risk Profiles Phase 6 – Quality & Performance | LEDGER-RISK-69-001 | TODO | Finalize dashboards and alerts for scoring latency. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 71 — Risk Profiles Phase 6 – Quality & Performance | NOTIFY-RISK-68-001 | TODO | Tune routing/quiet hour dedupe for risk alerts. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 71 — Risk Profiles Phase 6 – Quality & Performance | RISK-ENGINE-69-002 | TODO | Optimize performance, cache, and incremental scoring; validate SLOs. | Risk Engine Guild | Path: src/RiskEngine/StellaOps.RiskEngine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | DEVOPS-ATTEST-73-001 | TODO | (Prep) align CI secrets for Attestor service. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | ATTEST-ENVELOPE-72-001 | TODO | Implement DSSE canonicalization and hashing helpers. | Envelope Guild | Path: src/Attestor/StellaOps.Attestor.Envelope | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | ATTEST-ENVELOPE-72-002 | TODO | Support compact/expanded output and detached payloads. | Envelope Guild | Path: src/Attestor/StellaOps.Attestor.Envelope | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | ATTEST-TYPES-72-001 | DONE | Draft schemas for all attestation payload types. | Attestation Payloads Guild | Path: src/Attestor/StellaOps.Attestor.Types | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | ATTEST-TYPES-72-002 | DONE | Generate models/validators from schemas. | Attestation Payloads Guild | Path: src/Attestor/StellaOps.Attestor.Types | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | ATTESTOR-72-001 | TODO | Scaffold attestor service skeleton. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | ATTESTOR-72-002 | TODO | Implement attestation store + storage integration. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 72 — Attestor Console Phase 1 – Foundations | KMS-72-001 | DONE | Implement KMS interface + file driver. | KMS Guild | Path: src/__Libraries/StellaOps.Cryptography.Kms | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor CLI Phase 2 – Signing & Policies | CLI-ATTEST-73-001 | TODO | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | CLI Attestor Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor CLI Phase 2 – Signing & Policies | CLI-ATTEST-73-002 | TODO | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | CLI Attestor Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | DOCS-ATTEST-73-001 | TODO | Publish attestor overview. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | DOCS-ATTEST-73-002 | DONE | Publish payload docs. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | DOCS-ATTEST-73-003 | TODO | Publish policies doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | DOCS-ATTEST-73-004 | TODO | Publish workflows doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | ATTEST-ENVELOPE-73-001 | TODO | Add signing/verification helpers with KMS integration. | Envelope Guild | Path: src/Attestor/StellaOps.Attestor.Envelope | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | ATTEST-TYPES-73-001 | DONE | Create golden payload fixtures. | Attestation Payloads Guild | Path: src/Attestor/StellaOps.Attestor.Types | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | ATTESTOR-73-001 | DOING | Ship signing endpoint. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | ATTESTOR-73-002 | TODO | Ship verification pipeline and reports. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | ATTESTOR-73-003 | TODO | Implement list/fetch APIs. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | KMS-72-002 | DONE (2025-10-30) | CLI support for key import/export. | KMS Guild | Path: src/__Libraries/StellaOps.Cryptography.Kms | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | POLICY-ATTEST-73-001 | TODO | Implement VerificationPolicy lifecycle. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 73 — Attestor Console Phase 2 – Signing & Policies | POLICY-ATTEST-73-002 | TODO | Surface policies in Policy Studio. | Policy Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor CLI Phase 3 – Transparency & Chain of Custody | CLI-ATTEST-74-001 | TODO | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | CLI Attestor Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor CLI Phase 3 – Transparency & Chain of Custody | CLI-ATTEST-74-002 | TODO | Implement `stella attest fetch` to download envelopes and payloads to disk. | CLI Attestor Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | DOCS-ATTEST-74-001 | TODO | Publish keys & issuers doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | DOCS-ATTEST-74-002 | TODO | Publish transparency doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | DOCS-ATTEST-74-003 | TODO | Publish console attestor UI doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | DOCS-ATTEST-74-004 | TODO | Publish CLI attest doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | DEVOPS-ATTEST-74-001 | TODO | Deploy transparency witness infra. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | ATTEST-ENVELOPE-73-002 | TODO | Run fuzz tests for envelope handling. | Envelope Guild | Path: src/Attestor/StellaOps.Attestor.Envelope | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | ATTEST-VERIFY-74-001 | TODO | Add telemetry for verification pipeline. | Verification Guild | Path: src/Attestor/StellaOps.Attestor.Verify | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | ATTEST-VERIFY-74-002 | TODO | Document verification explainability. | Verification Guild | Path: src/Attestor/StellaOps.Attestor.Verify | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | ATTESTOR-74-001 | DOING | Integrate transparency witness client. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | ATTESTOR-74-002 | TODO | Implement bulk verification worker. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | EXPORT-ATTEST-74-001 | TODO | Build attestation bundle export job. | Attestation Bundle Guild | Path: src/ExportCenter/StellaOps.ExportCenter.AttestationBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | NOTIFY-ATTEST-74-001 | TODO | Add verification/key notifications. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 74 — Attestor Console Phase 3 – Transparency & Chain of Custody | NOTIFY-ATTEST-74-002 | TODO | Notify key rotation/revocation. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor CLI Phase 4 – Air Gap & Bulk | CLI-ATTEST-75-002 | TODO | Add support for building/verifying attestation bundles in CLI. | CLI Attestor Guild, Export Guild | Path: src/Cli/StellaOps.Cli | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | DOCS-ATTEST-75-001 | TODO | Publish attestor airgap doc. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | DOCS-ATTEST-75-002 | TODO | Update AOC invariants for attestations. | Docs Guild | Path: docs | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | DEVOPS-ATTEST-74-002 | TODO | Integrate bundle builds into release/offline pipelines. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | DEVOPS-ATTEST-75-001 | TODO | Dashboards/alerts for attestor metrics. | DevOps Guild | Path: ops/devops | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | ATTESTOR-75-001 | TODO | Support attestation bundle export/import for air gap. | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | ATTESTOR-75-002 | DONE | Harden APIs (rate limits, fuzz tests, threat model actions). | Attestor Service Guild | Path: src/Attestor/StellaOps.Attestor | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | EXPORT-ATTEST-75-001 | TODO | CLI bundle verify/import. | Attestation Bundle Guild | Path: src/ExportCenter/StellaOps.ExportCenter.AttestationBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 75 — Attestor Console Phase 4 – Air Gap & Bulk | EXPORT-ATTEST-75-002 | TODO | Document attestor airgap workflow. | Attestation Bundle Guild | Path: src/ExportCenter/StellaOps.ExportCenter.AttestationBundles | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.A) AirGap | AIRGAP-POL-56-001 | DONE | Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors. | AirGap Policy Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.A) AirGap | AIRGAP-POL-56-002 | DONE | Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration. Dependencies: AIRGAP-POL-56-001. | AirGap Policy Guild, DevEx Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.A) AirGap | AIRGAP-POL-57-001 | DONE (2025-11-03) | Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode. Dependencies: AIRGAP-POL-56-002. | AirGap Policy Guild, BE-Base Platform Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.A) AirGap | AIRGAP-POL-57-002 | DONE (2025-11-03) | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list.
2025-11-03: Worker wiring pulls `IEgressPolicy`, filesystem dispatcher enforces sealed-mode egress, dispatcher test + grant normalization landed, package versions aligned to rc.2.
Next: ensure other dispatchers/executors reuse the injected policy before enabling sealed-mode runs in worker service. Dependencies: AIRGAP-POL-57-001. | AirGap Policy Guild, Task Runner Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.A) AirGap | AIRGAP-POL-58-001 | DONE (2025-11-03) | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning.
2025-11-03: Introduced `StellaOps.Telemetry.Core` with OTLP exporter guard; Registry Token Service consumes new telemetry bootstrap; sealed-mode now skips non-loopback collectors and logs remediation guidance; docs refreshed for telemetry/air-gap playbooks. Dependencies: AIRGAP-POL-57-002. | AirGap Policy Guild, Observability Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.A) AirGap | AIRGAP-POL-58-002 | DONE (2025-11-03) | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation.
2025-11-03: CLI now wires HTTP clients through `StellaOps.AirGap.Policy`, returns `AIRGAP_EGRESS_BLOCKED` with remediation when sealed, and docs updated. Dependencies: AIRGAP-POL-58-001. | AirGap Policy Guild, CLI Guild | Path: src/AirGap/StellaOps.AirGap.Policy | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.B) Findings.I | LEDGER-29-001 | DONE (2025-11-03) | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures.
2025-11-03: Initial migration, canonical fixtures, and schema doc alignment delivered (LEDGER-29-001). | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.B) Findings.I | LEDGER-29-002 | DONE (2025-11-03) | Implement ledger write API (`POST /vuln/ledger/events`) with validation, idempotency, hash chaining, and Merkle root computation job.
2025-11-03: Web service + domain scaffolding landed with canonical hashing helpers, in-memory repository, Merkle scheduler stub, request/response contracts, and unit tests covering hashing & conflict flows. Dependencies: LEDGER-29-001. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.B) Findings.I | LEDGER-29-003 | DONE (2025-11-03) | Build projector worker that derives `findings_projection` rows from ledger events + policy determinations; ensure idempotent replay keyed by `(tenant,finding_id,policy_version)`.
2025-11-03: Postgres projection services landed with replay checkpoints, fixtures, and unit coverage (LEDGER-29-003). Dependencies: LEDGER-29-002. | Findings Ledger Guild, Scheduler Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.B) Findings.I | LEDGER-29-004 | DONE (2025-11-04) | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references.
2025-11-04: Ledger service now calls `/api/policy/eval/batch` with resilient HttpClient, shared cache, and inline fallback; documentation/config samples updated; ledger tests executed (`dotnet test src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/StellaOps.Findings.Ledger.Tests.csproj --no-restore`). Dependencies: LEDGER-29-003. | Findings Ledger Guild, Policy Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.B) Findings.I | LEDGER-29-005 | DONE | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. Dependencies: LEDGER-29-004. | Findings Ledger Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.B) Findings.I | LEDGER-29-006 | DONE | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. Dependencies: LEDGER-29-005. | Findings Ledger Guild, Security Guild | Path: src/Findings/StellaOps.Findings.Ledger | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.C) Policy.II | POLICY-ENGINE-27-003 | DONE | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (`ERR_POL_COMPLEXITY`). Dependencies: POLICY-ENGINE-27-002. | Policy Guild, Security Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 120 — [Policy & Reasoning] 120.C) Policy.II | POLICY-ENGINE-27-004 | DONE | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. Dependencies: POLICY-ENGINE-27-003. | Policy Guild, QA Guild | Path: src/Policy/StellaOps.Policy.Engine | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `SCANNER-ANALYZERS-LANG-10-308R` | DONE (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust) | Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. | DONE | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `SCANNER-ANALYZERS-LANG-10-309R` | DONE (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust) | Package plug-in manifest + Offline Kit documentation; ensure Worker integration. Dependencies: SCANNER-ANALYZERS-LANG-10-308R. | DONE | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `ENTRYTRACE-SURFACE-01` | DONE (2025-11-02) | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `ENTRYTRACE-SURFACE-02` | DONE (2025-11-02) | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. Dependencies: ENTRYTRACE-SURFACE-01. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `SCANNER-ENTRYTRACE-18-509` | DONE (2025-11-02) | Add regression coverage for EntryTrace surfaces (result store, WebService endpoint, CLI renderer) and NDJSON hashing. | EntryTrace Guild, QA Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `SCANNER-ENTRYTRACE-18-507` | DONE (2025-11-02) | Expand candidate discovery beyond ENTRYPOINT/CMD by scanning Docker history metadata and default service directories (`/etc/services/**`, `/s6/**`, `/etc/supervisor/*.conf`, `/usr/local/bin/*-entrypoint`) when explicit commands are absent. Dependencies: SCANNER-ENTRYTRACE-18-509. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `SCANNER-ENTRYTRACE-18-508` | DONE (2025-11-02) | Extend wrapper catalogue to collapse language/package launchers (`bundle`, `bundle exec`, `docker-php-entrypoint`, `npm`, `yarn node`, `pipenv`, `poetry run`) and vendor init scripts before terminal classification. Dependencies: SCANNER-ENTRYTRACE-18-507. | EntryTrace Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `LANG-SURFACE-01` | DONE (2025-11-03) | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites.
2025-11-03: CompositeScanAnalyzerDispatcher now enforces Surface.Validation prior to language analyzers and propagates actionable failure diagnostics. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `LANG-SURFACE-02` | DONE (2025-11-03) | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. Dependencies: LANG-SURFACE-01.
2025-11-03: Language analyzer runs fingerprint the workspace and persist results via Surface.FS cache helper for deterministic reuse. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.I | `LANG-SURFACE-03` | DONE (2025-11-03) | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. Dependencies: LANG-SURFACE-02.
2025-11-03: LanguageAnalyzerContext exposes Surface.Secrets-backed helper for registry/feed credentials with unit coverage. | Language Analyzer Guild | Path: src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.VII | `SCANNER-EVENTS-16-302` | DONE (2025-11-06) | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. Dependencies: SCANNER-EVENTS-16-301.
2025-11-06 22:55Z: Dispatcher honours configurable console/API segments; docs and samples refreshed; added regression test for custom segments. `dotnet test` previously blocked by legacy Surface cache ctor signature (tracked under Surface task).
2025-11-06 23:30Z: Report DSSE fixtures re-synced; Surface cache ctor drift repaired; `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests --no-build` now green end-to-end. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.VII | `SCANNER-SECRETS-01` | DONE (2025-11-06) | Adopt `StellaOps.Scanner.Surface.Secrets` for registry/CAS credentials during scan execution.
2025-11-02: Surface.Secrets provider wired for CAS token retrieval; integration tests added.
2025-11-06: Replaced registry credential plumbing with shared provider + rotation-aware metrics; introduced registry secret stage and analysis keys.
2025-11-06 23:40Z: Installed .NET 10 RC2 runtime, parser/stage unit suites green (`dotnet test` Surface.Secrets + Worker focused filter). | Scanner Worker Guild, Security Guild | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.VII | `SCANNER-SECRETS-02` | DONE (2025-11-06) | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). Dependencies: SCANNER-SECRETS-01.
2025-11-02: WebService export path now resolves registry credentials via Surface.Secrets stub; CI pipeline hook in progress.
2025-11-06: Picking up Surface.Secrets provider usage across report/export flows and removing legacy secret file readers.
2025-11-06 21:40Z: WebService options now consume `cas-access` secrets via configurator; storage mirrors updated; targeted tests passing.
2025-11-06 23:58Z: Registry + attestation secrets sourced via Surface.Secrets (options extended, configurator + tests updated); Surface.Secrets & configurator test suites executed on .NET 10 RC2 runtime. | Scanner WebService Guild, Security Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.VII | `SCANNER-SURFACE-01` | DONE (2025-11-06) | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments.
2025-11-02: Worker pipeline emitting draft Surface.FS manifests for sample scans; determinism checks running.
2025-11-06: Continuing with manifest writer abstraction + telemetry wiring for Surface.FS persistence.
2025-11-06 18:45Z: Resumed work; targeting manifest writer abstraction, CAS persistence hooks, and telemetry/test coverage updates.
2025-11-06 20:20Z: Published Surface worker Grafana dashboard + updated design doc; WebService pointer integration test now covers manifest/payload artefacts. | Scanner Worker Guild | Path: src/Scanner/StellaOps.Scanner.Worker | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.VII | `SCANNER-SURFACE-02` | DONE (2025-11-05) | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. Dependencies: SCANNER-SURFACE-01.
2025-11-05: Surface pointer projection wired through WebService endpoints, orchestrator samples & DSSE fixtures refreshed with `surface` manifest block, and regression suite (platform events, report sample, ready check) updated. | Scanner WebService Guild | Path: src/Scanner/StellaOps.Scanner.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 130 — Scanner & Surface / Scanner.VII | `SCANNER-SURFACE-03` | DONE (2025-11-07) | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. Dependencies: SCANNER-SURFACE-02.
2025-11-06: Starting BuildX manifest upload implementation with Surface.FS client abstraction and integration tests.
2025-11-07 15:30Z: Resumed BuildX plugin Surface wiring; analyzing Surface.FS models, CAS flow, and upcoming tests before coding.
2025-11-07 22:10Z: Added Surface manifest writer + CLI flags to the BuildX plug-in, persisted artefacts into CAS, regenerated docs/fixtures, and shipped new tests covering the writer + descriptor flow. | BuildX Plugin Guild | Path: src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 320 — Docs Modules Export Center | CENTER-DOCS-0001 | DONE (2025-11-05) | Validate that `docs/modules/export-center/README.md` matches the latest release notes, including devportal offline profile, DSSE manifest signatures, and supporting specs. | Docs Guild | Path: docs/modules/export-center/TASKS.md | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | SCANNER-DOCS-0001 | DONE (2025-11-05) | Validate that `docs/modules/scanner/README.md` is current with platform-event coverage (`scanner.report.ready@1`, `scanner.scan.completed@1`). | Docs Guild | Path: docs/modules/scanner/TASKS.md | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | SCANNER-DOCS-0002 | DONE (2025-11-02) | Keep scanner benchmark comparisons (Trivy/Grype/Snyk) and deep-dive matrices up to date with cited sources. | Docs Guild | Path: docs/modules/scanner/TASKS.md | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-001 | DONE (2025-11-02) | Maintain the scanner comparison doc for Trivy/Grype/Snyk with refreshed deep dives and ecosystem matrices. | Docs Guild, Scanner Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-007 | DONE (2025-11-05) | Publish secret leak detection documentation (rules, policy templates) once implementation lands. | Docs Guild, Security Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-010 | DONE (2025-11-02) | Document PHP analyzer parity gaps with technique tables and policy hooks. | Docs Guild, PHP Analyzer Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-011 | DONE (2025-11-02) | Capture Deno runtime gap analysis versus competitors, including detection/merge strategy tables. | Docs Guild, Language Analyzer Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-012 | DONE (2025-11-02) | Add Dart ecosystem comparisons and task linkage in `scanning-gaps-stella-misses-from-competitors.md`. | Docs Guild, Language Analyzer Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-013 | DONE (2025-11-02) | Expand Swift coverage analysis with implementation techniques and policy considerations. | Docs Guild, Swift Analyzer Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-014 | DONE (2025-11-02) | Detail Kubernetes/VM target coverage gaps and linkage with Zastava/Runtime docs. | Docs Guild, Runtime Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 327 — Docs Modules Scanner | DOCS-SCANNER-BENCH-62-015 | DONE (2025-11-02) | Document DSSE/Rekor operator enablement guidance drawn from competitor comparisons. | Docs Guild, Export Center Guild | Path: docs/benchmarks/scanner | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 112 — Concelier.I | CONCELIER-CRYPTO-90-001 | DONE (2025-11-08) | Route WebService hashing through `ICryptoHash` so sovereign deployments (e.g., RootPack_RU) can select CryptoPro/PKCS#11 providers; discovery, chunk builders, and seed processors updated accordingly. | Concelier WebService Guild, Security Guild | Path: src/Concelier/StellaOps.Concelier.WebService | 2025-10-19 | +| docs/implplan/archived/updates/tasks.md | Sprint 158 — TaskRunner.II | TASKRUN-43-001 | DONE (2025-11-06) | Implement approvals workflow (resume after approval), notifications integration, remote artifact uploads, chaos resilience, secret injection, and audit logging for TaskRunner. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 | +| docs/implplan/archived/updates/SPRINT_100_identity_signing.md | Sprint 100 Identity Signing | AUTH-AIRGAP-57-001 | DONE (2025-11-08) | | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. (Deps: AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002.) | | +| docs/implplan/archived/updates/SPRINT_100_identity_signing.md | Sprint 100 Identity Signing | AUTH-PACKS-43-001 | DONE (2025-11-09) | | Authority Core & Security Guild (src/Authority/StellaOps.Authority) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. (Deps: AUTH-PACKS-41-001, TASKRUN-42-001, ORCH-SVC-42-101.) | | +| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | DOCS-AIAI-31-004 | DOING | | | | | +| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | AIAI-31-009 | DONE (2025-11-12) | | | | | +| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | AIAI-31-008 | TODO | | | | | +| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | SBOM-AIAI-31-003 | BLOCKED | | | | | +| docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md | Sprint 110 Ingestion Evidence 2025-11-13 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | | | | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-001` | DONE | Build the deterministic input normalizer + VFS merger for `deno.json(c)`, import maps, lockfiles, vendor trees, `$DENO_DIR`, and OCI layers so analyzers have a canonical file view. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | — | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-002` | DONE | Implement the module graph resolver covering static/dynamic imports, npm bridge, cache lookups, built-ins, WASM/JSON assertions, and annotate edges with their resolution provenance. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-001 | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-003` | DONE | Ship the npm/node compatibility adapter that maps `npm:` specifiers, evaluates `exports` conditionals, and logs builtin usage for policy overlays. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-002 | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-004` | DONE | Add the permission/capability analyzer covering FS/net/env/process/crypto/FFI/workers plus dynamic-import + literal fetch heuristics with reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-003 | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-005` | DONE | Build bundle/binary inspectors for eszip and `deno compile` executables to recover graphs, configs, embedded resources, and snapshots. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-004 | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-006` | DONE | Implement the OCI/container adapter that stitches per-layer Deno caches, vendor trees, and compiled binaries back into provenance-aware analyzer inputs. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-005 | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-007` | DONE | Produce AOC-compliant observation writers (entrypoints, modules, capability edges, workers, warnings, binaries) with deterministic reason codes. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-006 | | +| docs/implplan/archived/updates/SPRINT_130_scanner_surface.md | Sprint 130 Scanner Surface | `SCANNER-ANALYZERS-DENO-26-008` | DONE | Finalize fixture + benchmark suite (vendor/npm/FFI/worker/dynamic import/bundle/cache/container cases) validating analyzer determinism and performance. | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno) | SCANNER-ANALYZERS-DENO-26-007 | | +| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0002` | DONE (2025-11-09) | Design the Node.js lockfile collector + CLI validator per `docs/benchmarks/scanner/scanning-gaps-stella-misses-from-competitors.md`, capturing Surface + policy requirements before implementation. | Scanner Guild, CLI Guild (docs/modules/scanner) | — | | +| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0003` | DONE (2025-11-09) | Design Python lockfile + editable-install parity checks with policy predicates and CLI workflow coverage as outlined in the gap analysis. | Python Analyzer Guild, CLI Guild (docs/modules/scanner) | — | | +| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0004` | DONE (2025-11-09) | Design Java lockfile ingestion/validation (Gradle/SBT collectors, CLI verb, policy hooks) to close comparison gaps. | Java Analyzer Guild, CLI Guild (docs/modules/scanner) | — | | +| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0005` | DONE (2025-11-09) | Enhance Go stripped-binary fallback inference design, including inferred module metadata + policy integration, per the gap analysis. | Go Analyzer Guild (docs/modules/scanner) | — | | +| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0006` | DONE (2025-11-09) | Expand Rust fingerprint coverage design (enriched fingerprint catalogue + policy controls) per the comparison matrix. | Rust Analyzer Guild (docs/modules/scanner) | — | | +| docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md | Sprint 137 Scanner Gap Design | `SCANNER-ENG-0007` | DONE (2025-11-09) | Design the deterministic secret leak detection pipeline covering rule packaging, Policy Engine integration, and CLI workflow. | Scanner Guild, Policy Guild (docs/modules/scanner) | — | | +| docs/implplan/archived/updates/2025-10-18-docs-guild.md | Update note | Docs Guild Update — 2025-10-18 | INFO | **Subject:** ADR process + events schema validation shipped | | | 2025-10-18 | +| docs/implplan/archived/updates/2025-10-19-docs-guild.md | Update note | Docs Guild Update — 2025-10-19 | INFO | **Subject:** Event envelope reference & canonical samples | | | 2025-10-19 | +| docs/implplan/archived/updates/2025-10-19-platform-events.md | Update note | Platform Events Update — 2025-10-19 | INFO | **Subject:** Canonical event samples enforced across tests & CI | | | 2025-10-19 | +| docs/implplan/archived/updates/2025-10-19-scanner-policy.md | Update note | 2025-10-19 – Scanner ↔ Policy Sync | INFO | - Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync. | | | 2025-10-19 | +| docs/implplan/archived/updates/2025-10-19-scheduler-storage.md | Update note | Scheduler Storage Update — 2025-10-19 | INFO | **Subject:** Mongo bootstrap + canonical fixtures | | | 2025-10-19 | +| docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md | Update note | 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates | INFO | - Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks. | | | 2025-10-20 | +| docs/implplan/archived/updates/2025-10-20-scanner-events.md | Update note | 2025-10-20 – Scanner Platform Events Hardening | INFO | - Scanner WebService now wires a reusable `IRedisConnectionFactory`, simplifying redis transport testing and reuse for future adapters. | | | 2025-10-20 | +| docs/implplan/archived/updates/2025-10-22-docs-guild.md | Update note | Docs Guild Update — 2025-10-22 | INFO | **Subject:** Concelier Authority toggle rollout polish | | | 2025-10-22 | +| docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md | Update note | 2025-10-26 — Authority graph scopes documentation refresh | INFO | - Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations). | | | 2025-10-26 | +| docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md | Update note | 2025-10-26 — Scheduler Graph Job DTOs ready for integration | INFO | SCHED-MODELS-21-001 delivered the new `GraphBuildJob`/`GraphOverlayJob` contracts and SCHED-MODELS-21-002 publishes the accompanying documentation + samples for downstream teams. | | | 2025-10-26 | +| docs/implplan/archived/updates/2025-10-27-console-security-signoff.md | Update note | Console Security Checklist Sign-off — 2025-10-27 | INFO | - Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build. | | | 2025-10-27 | +| docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md | Update note | 2025-10-27 — Orchestrator operator scope & audit metadata | INFO | - Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`. | | | 2025-10-27 | +| docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md | Update note | 2025-10-27 — Policy scope migration guidance | INFO | - Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`). | | | 2025-10-27 | +| docs/implplan/archived/updates/2025-10-27-task-packs-docs.md | Update note | Docs Guild Update — Task Pack Docs (2025-10-27) | INFO | - Added Task Pack core documentation set: | | | 2025-10-27 | +| docs/implplan/archived/updates/2025-10-28-docs-guild.md | Update note | Docs Guild Update — 2025-10-28 | INFO | - Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist. | | | 2025-10-28 | +| docs/implplan/archived/updates/2025-10-29-export-center-provenance.md | Update note | 2025-10-29 – Export Center provenance/signing doc | INFO | - Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist. | | | 2025-10-29 | +| docs/implplan/archived/updates/2025-10-29-notify-docs.md | Update note | 2025-10-29 – Notifications Studio docs sync prep | INFO | - Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39. | | | 2025-10-29 | +| docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md | Update note | 2025-10-29 — Scheduler/Policy Guild Doc Refresh | INFO | - Extended `SCHED-MODELS-20-001` with environment metadata guidance, lifecycle semantics, and diff payload breakdown for Policy Engine runs. | | | 2025-10-29 | +| docs/implplan/archived/updates/2025-10-30-devops-governance.md | Update note | 30 Oct 2025 — Governance rules anchor consolidated | INFO | **What changed** | | | 2025-10-30 | +| docs/implplan/archived/updates/2025-10-31-console-security-refresh.md | Update note | 2025-10-31 — Console Security Docs Refresh | INFO | - Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour. | | | 2025-10-31 | +| docs/implplan/archived/updates/2025-10-cleanup.md | Update note | Backlog Cleanup — 26 October 2025 | INFO | This note captures the Sprint backlog hygiene pass applied on 26 October 2025. The goal was to eliminate legacy tasks that violated the aggregation-only contract (AOC), duplicated scope, or conflicted with the current module ownership map. | | | | +| docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md | Update note | 2025-11-01 · Authority adds Orch.Admin quota controls | INFO | **What changed** | | | 2025-11-01 | +| docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md | Update note | 2025-11-02 · Pack scope catalogue & CLI profiles | INFO | **What changed** | | | 2025-11-02 | +| docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md | Update note | Authority Plugin LDAP Review — 2025-11-03 | INFO | - Auth Guild core (Authority Host Crew) | | | 2025-11-03 | +| docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md | Update note | 2025-11-03 – Vuln Explorer access controls refresh | INFO | - Expanded `docs/11_AUTHORITY.md` with attachment signing tokens, ledger verification workflow, and a Vuln Explorer security checklist. | | | 2025-11-03 | +| docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md | Update note | 2025-11-05 – Excitor consensus API beta | INFO | **Subject:** Excitor consensus export/API preview ships \ | | | 2025-11-05 | +| docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md | Update note | 2025-11-07 – Concelier advisory chunks API | INFO | **Subject:** Paragraph-anchored advisory chunks land for Advisory AI | | | 2025-11-07 | +| docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md | Update note | 2025-11-09 — Authority LDAP Plug-in Readiness (PLG7.IMPL-005) | INFO | - Added a dedicated LDAP quick-reference section to the Authority plug-in developer guide covering mutual TLS requirements, DN→role regex mappings, Mongo-backed claim caching, and the client-provisioning audit mirror. | | | 2025-11-09 | +| docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md | Update note | 2025-11-12 – Notifications Attestation Template Suite | INFO | - Introduced the canonical `tmpl-attest-*` template family covering verification failures, expiring attestations, key rotations, and transparency anomalies. | | | 2025-11-12 | diff --git a/docs/updates/2025-10-18-docs-guild.md b/docs/implplan/archived/updates/2025-10-18-docs-guild.md similarity index 98% rename from docs/updates/2025-10-18-docs-guild.md rename to docs/implplan/archived/updates/2025-10-18-docs-guild.md index caecb2fd0..69af7df02 100644 --- a/docs/updates/2025-10-18-docs-guild.md +++ b/docs/implplan/archived/updates/2025-10-18-docs-guild.md @@ -1,14 +1,14 @@ -# Docs Guild Update — 2025-10-18 - -**Subject:** ADR process + events schema validation shipped -**Audience:** Docs Guild, DevEx, Platform Events - -- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow. -- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories. -- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`. -- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access. -- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements. - -Next steps: -- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs. -- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed. +# Docs Guild Update — 2025-10-18 + +**Subject:** ADR process + events schema validation shipped +**Audience:** Docs Guild, DevEx, Platform Events + +- Published the ADR contribution guide at `docs/adr/index.md` and enriched the template to capture authorship, deciders, and alternatives. All new cross-module decisions should follow this workflow. +- Linked the ADR hub from `docs/README.md` so operators and engineers can discover the process without digging through directories. +- Extended Docs CI (`.gitea/workflows/docs.yml`) to compile event schemas with Ajv (including `ajv-formats`) and documented the local loop in `docs/events/README.md`. +- Captured the mirror/offline workflow in `docs/ci/20_CI_RECIPES.md` so runners know how to install the Ajv toolchain and publish previews without internet access. +- Validated `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1` schemas locally to unblock Platform Events acknowledgements. + +Next steps: +- Platform Events to confirm Notify/Scheduler consumers have visibility into the schema docs. +- DevEx to add ADR announcement blurb to the next sprint recap if broader broadcast is needed. diff --git a/docs/updates/2025-10-19-docs-guild.md b/docs/implplan/archived/updates/2025-10-19-docs-guild.md similarity index 98% rename from docs/updates/2025-10-19-docs-guild.md rename to docs/implplan/archived/updates/2025-10-19-docs-guild.md index bd6c5d91e..dd8375ce8 100644 --- a/docs/updates/2025-10-19-docs-guild.md +++ b/docs/implplan/archived/updates/2025-10-19-docs-guild.md @@ -1,12 +1,12 @@ -# Docs Guild Update — 2025-10-19 - -**Subject:** Event envelope reference & canonical samples -**Audience:** Docs Guild, Platform Events, Runtime Guild - -- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields. -- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas. -- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions. - -Next steps: -- Platform Events to embed the canonical samples into their contract tests. -- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off. +# Docs Guild Update — 2025-10-19 + +**Subject:** Event envelope reference & canonical samples +**Audience:** Docs Guild, Platform Events, Runtime Guild + +- Extended `docs/events/README.md` with envelope field tables, offline validation commands, and guidance for optional payload fields. +- Added canonical sample payloads under `docs/events/samples/` for `scanner.report.ready@1`, `scheduler.rescan.delta@1`, and `attestor.logged@1`; validated them with `ajv-cli` to match the published schemas. +- Documented the validation loop so air-gapped operators can mirror the CI checks before rolling new event versions. + +Next steps: +- Platform Events to embed the canonical samples into their contract tests. +- Runtime Guild checklist for quieted finding counts & progress hints published in `docs/runtime/SCANNER_RUNTIME_READINESS.md`; gather stakeholder sign-off. diff --git a/docs/updates/2025-10-19-platform-events.md b/docs/implplan/archived/updates/2025-10-19-platform-events.md similarity index 98% rename from docs/updates/2025-10-19-platform-events.md rename to docs/implplan/archived/updates/2025-10-19-platform-events.md index 840398d0c..91539d433 100644 --- a/docs/updates/2025-10-19-platform-events.md +++ b/docs/implplan/archived/updates/2025-10-19-platform-events.md @@ -1,10 +1,10 @@ -# Platform Events Update — 2025-10-19 - -**Subject:** Canonical event samples enforced across tests & CI -**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild - -- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`. -- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations. -- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned. - -No additional follow-ups — downstream teams can rely on the committed samples for integration coverage. +# Platform Events Update — 2025-10-19 + +**Subject:** Canonical event samples enforced across tests & CI +**Audience:** Platform Events Guild, Notify Guild, Scheduler Guild, Docs Guild + +- Scanner WebService contract tests deserialize `scanner.report.ready@1` and `scanner.scan.completed@1` samples, validating DSSE payloads and canonical ordering via `NotifyCanonicalJsonSerializer`. +- Notify and Scheduler model suites now round-trip the published event samples (including `attestor.logged@1` and `scheduler.rescan.delta@1`) to catch drift in consumer expectations. +- Docs CI (`.gitea/workflows/docs.yml`) validates every sample against its schema with `ajv-cli`, keeping offline bundles and repositories aligned. + +No additional follow-ups — downstream teams can rely on the committed samples for integration coverage. diff --git a/docs/updates/2025-10-19-scanner-policy.md b/docs/implplan/archived/updates/2025-10-19-scanner-policy.md similarity index 99% rename from docs/updates/2025-10-19-scanner-policy.md rename to docs/implplan/archived/updates/2025-10-19-scanner-policy.md index 758a0f167..a4f1e3d08 100644 --- a/docs/updates/2025-10-19-scanner-policy.md +++ b/docs/implplan/archived/updates/2025-10-19-scanner-policy.md @@ -1,5 +1,5 @@ -# 2025-10-19 – Scanner ↔ Policy Sync - -- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync. -- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring. -- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship. +# 2025-10-19 – Scanner ↔ Policy Sync + +- Scanner WebService now emits `scanner.report.ready` and `scanner.scan.completed` via Redis Streams when `scanner.events.enabled=true`; DSSE envelopes are embedded verbatim to keep Notify/UI consumers in sync. +- Config plumbing introduces `scanner:events:*` settings (driver, DSN, stream, publish timeout) with validation and Redis-backed publisher wiring. +- Policy Guild coordination task `POLICY-RUNTIME-17-201` opened to track Zastava runtime feed contract; `SCANNER-RUNTIME-17-401` now depends on it so reachability tags stay aligned once runtime endpoints ship. diff --git a/docs/updates/2025-10-19-scheduler-storage.md b/docs/implplan/archived/updates/2025-10-19-scheduler-storage.md similarity index 98% rename from docs/updates/2025-10-19-scheduler-storage.md rename to docs/implplan/archived/updates/2025-10-19-scheduler-storage.md index 61541cc3f..6bb203698 100644 --- a/docs/updates/2025-10-19-scheduler-storage.md +++ b/docs/implplan/archived/updates/2025-10-19-scheduler-storage.md @@ -1,8 +1,8 @@ -# Scheduler Storage Update — 2025-10-19 - -**Subject:** Mongo bootstrap + canonical fixtures -**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams - -- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks. -- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact. -- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup. +# Scheduler Storage Update — 2025-10-19 + +**Subject:** Mongo bootstrap + canonical fixtures +**Audience:** Scheduler Storage Guild, Scheduler WebService/Worker teams + +- Added `StellaOps.Scheduler.Storage.Mongo` bootstrap (`AddSchedulerMongoStorage`) with collection/index migrations for schedules, runs (incl. TTL), impact snapshots, audit, and locks. +- Introduced Mongo2Go-backed tests that round-trip the published scheduler samples (`samples/api/scheduler/*.json`) to ensure canonical JSON stays intact. +- `ISchedulerMongoInitializer.EnsureMigrationsAsync` now provides the single entry point for WebService/Worker hosts to apply migrations at startup. diff --git a/docs/updates/2025-10-20-authority-identity-registry.md b/docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md similarity index 99% rename from docs/updates/2025-10-20-authority-identity-registry.md rename to docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md index 7f254e66d..9282d44c6 100644 --- a/docs/updates/2025-10-20-authority-identity-registry.md +++ b/docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md @@ -1,14 +1,14 @@ -# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates - -## Summary -- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks. -- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised. -- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs. - -## Operator impact -- No configuration changes are required; existing YAML and environment-based settings continue to function. -- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use. - -## Developer notes -- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`. -- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set. +# 2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates + +## Summary +- Authority host now resolves identity providers through the new metadata/handle pattern introduced in `StellaOps.Authority.Plugins.Abstractions`. Runtime handlers (`ValidateClientCredentialsHandler`, `ValidatePasswordGrantHandler`, `ValidateAccessTokenHandler`, bootstrap endpoints) acquire providers with `IAuthorityIdentityProviderRegistry.AcquireAsync` and rely on metadata (`AuthorityIdentityProviderMetadata`) for capability checks. +- Unit and integration tests build lightweight `ServiceProvider` instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised. +- DPoP nonce enforcement now prefers `NormalizedAudiences` when populated and gracefully falls back to the configured `RequiredAudiences`, eliminating the runtime type mismatch that previously surfaced during test runs. + +## Operator impact +- No configuration changes are required; existing YAML and environment-based settings continue to function. +- Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use. + +## Developer notes +- When adding new identity providers or tests, register plugins via `ServiceCollection` and call `new AuthorityIdentityProviderRegistry(serviceProvider, logger)`. +- For DPoP-required endpoints, populate `security.senderConstraints.dpop.nonce.requiredAudiences` or rely on defaults; both now funnel through the normalized set. diff --git a/docs/updates/2025-10-20-scanner-events.md b/docs/implplan/archived/updates/2025-10-20-scanner-events.md similarity index 100% rename from docs/updates/2025-10-20-scanner-events.md rename to docs/implplan/archived/updates/2025-10-20-scanner-events.md diff --git a/docs/updates/2025-10-22-docs-guild.md b/docs/implplan/archived/updates/2025-10-22-docs-guild.md similarity index 98% rename from docs/updates/2025-10-22-docs-guild.md rename to docs/implplan/archived/updates/2025-10-22-docs-guild.md index c440e1bcb..0138cb65f 100644 --- a/docs/updates/2025-10-22-docs-guild.md +++ b/docs/implplan/archived/updates/2025-10-22-docs-guild.md @@ -1,13 +1,13 @@ -# Docs Guild Update — 2025-10-22 - -**Subject:** Concelier Authority toggle rollout polish -**Audience:** Docs Guild, Concelier WebService Guild, Authority Core - -- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step. -- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement. -- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned. -- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 2025‑10‑22 bundle before promoting it to mirrors. - -Next steps: -- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review. -- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build. +# Docs Guild Update — 2025-10-22 + +**Subject:** Concelier Authority toggle rollout polish +**Audience:** Docs Guild, Concelier WebService Guild, Authority Core + +- Added a rollout phase table to `docs/10_CONCELIER_CLI_QUICKSTART.md`, clarifying how `authority.enabled` and `authority.allowAnonymousFallback` move from validation to enforced mode and highlighting the audit/metric signals to watch at each step. +- Extended the Authority integration checklist in the same quickstart so operators tie CLI smoke tests to audit counters before flipping enforcement. +- Refreshed `docs/modules/concelier/operations/authority-audit-runbook.md` with the latest date stamp, prerequisites, and pre-check guidance that reference the quickstart timeline; keeps change-request templates aligned. +- Documented the new Go analyzer artefacts in `docs/24_OFFLINE_KIT.md` (manifest excerpt + tarball smoke test) so Ops can confirm the plug-in ships in the 2025‑10‑22 bundle before promoting it to mirrors. + +Next steps: +- Concelier WebService owners to link this update in the next deployment bulletin once FEEDWEB-DOCS-01-001 clears review. +- Docs Guild to verify the Offline Kit doc bundle picks up the quickstart/runbook changes after the nightly build. diff --git a/docs/updates/2025-10-26-authority-graph-scopes.md b/docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md similarity index 98% rename from docs/updates/2025-10-26-authority-graph-scopes.md rename to docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md index 0bd8a0fa7..a3fe752e5 100644 --- a/docs/updates/2025-10-26-authority-graph-scopes.md +++ b/docs/implplan/archived/updates/2025-10-26-authority-graph-scopes.md @@ -1,15 +1,15 @@ -# 2025-10-26 — Authority graph scopes documentation refresh - -## Summary - -- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations). -- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults. -- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services. - -## Next steps - -| Team | Follow-up | Target | -|------|-----------|--------| -| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 | -| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up | -| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up | +# 2025-10-26 — Authority graph scopes documentation refresh + +## Summary + +- Documented least-privilege guidance for the new `graph:*` scopes in `docs/11_AUTHORITY.md` (scope mapping, tenant propagation, and DPoP expectations). +- Extended the sample client table/config to include Cartographer and Graph API registrations so downstream teams can copy/paste the correct defaults. +- Highlighted the requirement to consume `StellaOpsScopes` constants instead of hard-coded scope strings across services. + +## Next steps + +| Team | Follow-up | Target | +|------|-----------|--------| +| Authority Core | Ensure `/jwks` changelog references graph scope rollout in next release note. | 2025-10-28 | +| Graph API Guild | Update gateway scaffolding to request scopes from `StellaOpsScopes` once the host project lands. | Sprint 21 stand-up | +| Scheduler Guild | Confirm Cartographer client onboarding uses the new sample secret templates. | Sprint 21 stand-up | diff --git a/docs/updates/2025-10-26-scheduler-graph-jobs.md b/docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md similarity index 100% rename from docs/updates/2025-10-26-scheduler-graph-jobs.md rename to docs/implplan/archived/updates/2025-10-26-scheduler-graph-jobs.md diff --git a/docs/updates/2025-10-27-console-security-signoff.md b/docs/implplan/archived/updates/2025-10-27-console-security-signoff.md similarity index 98% rename from docs/updates/2025-10-27-console-security-signoff.md rename to docs/implplan/archived/updates/2025-10-27-console-security-signoff.md index 5750ad000..e6682d38f 100644 --- a/docs/updates/2025-10-27-console-security-signoff.md +++ b/docs/implplan/archived/updates/2025-10-27-console-security-signoff.md @@ -1,48 +1,48 @@ -# Console Security Checklist Sign-off — 2025-10-27 - -## Summary - -- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build. -- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required. -- Result: **PASS** – console may progress with Sprint 23 release gating. - -## Authority client validation - -- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`. -- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`. - -## CSP enforcement - -- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present. -- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared. - -## Fresh-auth timer - -- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle. -- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs. - -## DPoP binding test - -- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`. -- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`. - -## Offline mode exercise - -- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages. -- Imported Offline Kit manifest; parity checks report `OK` status. - -## Evidence parity - -- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run `; SHA-256 digests match. -- Verified Downloads workspace never caches bundle contents (only manifest metadata stored). - -## Monitoring & alerts - -- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures. -- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps. - -## Sign-off - -- Reviewed by **Security Guild** (lead: `@sec-lfox`). -- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`). - +# Console Security Checklist Sign-off — 2025-10-27 + +## Summary + +- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build. +- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required. +- Result: **PASS** – console may progress with Sprint 23 release gating. + +## Authority client validation + +- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`. +- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`. + +## CSP enforcement + +- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present. +- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared. + +## Fresh-auth timer + +- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle. +- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs. + +## DPoP binding test + +- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`. +- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`. + +## Offline mode exercise + +- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages. +- Imported Offline Kit manifest; parity checks report `OK` status. + +## Evidence parity + +- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run `; SHA-256 digests match. +- Verified Downloads workspace never caches bundle contents (only manifest metadata stored). + +## Monitoring & alerts + +- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures. +- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps. + +## Sign-off + +- Reviewed by **Security Guild** (lead: `@sec-lfox`). +- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`). + diff --git a/docs/updates/2025-10-27-orch-operator-scope.md b/docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md similarity index 98% rename from docs/updates/2025-10-27-orch-operator-scope.md rename to docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md index 64134c86c..7a71ee7a0 100644 --- a/docs/updates/2025-10-27-orch-operator-scope.md +++ b/docs/implplan/archived/updates/2025-10-27-orch-operator-scope.md @@ -1,15 +1,15 @@ -# 2025-10-27 — Orchestrator operator scope & audit metadata - -## Summary - -- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`. -- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued. -- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action. - -## Next steps - -| Team | Follow-up | Target | -|------|-----------|--------| -| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up | -| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up | -| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation | +# 2025-10-27 — Orchestrator operator scope & audit metadata + +## Summary + +- Introduced the `orch:operate` scope and `Orch.Operator` role in Authority to unlock Orchestrator control actions while keeping read-only access under `Orch.Viewer`. +- Authority now enforces `operator_reason` and `operator_ticket` parameters on `/token` requests that include `orch:operate`; missing values yield `invalid_request` and no token is issued. +- Client credentials audit events capture both fields (`request.reason`, `request.ticket`), giving SecOps traceability for every control action. + +## Next steps + +| Team | Follow-up | Target | +|------|-----------|--------| +| Console Guild | Wire UI control panels to request `operator_reason`/`operator_ticket` when exchanging tokens for orchestrator actions. | Sprint 23 stand-up | +| CLI Guild | Add flags to `stella orch` subcommands to pass reason/ticket metadata before enabling mutations. | Sprint 23 stand-up | +| Orchestrator Service | Enforce presence of `X-Stella-Reason`/`X-Stella-Ticket` (or equivalent metadata) on mutate endpoints and align audit logging. | ORCH-SVC-33-001 implementation | diff --git a/docs/updates/2025-10-27-policy-scope-migration.md b/docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md similarity index 98% rename from docs/updates/2025-10-27-policy-scope-migration.md rename to docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md index df90e1add..72d68a48b 100644 --- a/docs/updates/2025-10-27-policy-scope-migration.md +++ b/docs/implplan/archived/updates/2025-10-27-policy-scope-migration.md @@ -1,15 +1,15 @@ -# 2025-10-27 — Policy scope migration guidance - -## Summary - -- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`). -- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes. -- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles. - -## Next steps - -| Team | Follow-up | Target | -|------|-----------|--------| -| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 | -| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up | -| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 | +# 2025-10-27 — Policy scope migration guidance + +## Summary + +- Updated Authority defaults (`etc/authority.yaml`) to register a `policy-cli` client using the fine-grained scope set introduced by AUTH-POLICY-23-001 (`policy:read`, `policy:author`, `policy:review`, `policy:simulate`, `findings:read`). +- Added release/CI documentation call-outs instructing operators to reissue tokens that previously relied on `policy:write`/`policy:submit`/`policy:run` scopes. +- Introduced a repo verification script so future config changes fail CI when policy clients regress to the legacy scope bundles. + +## Next steps + +| Team | Follow-up | Target | +|------|-----------|--------| +| Authority Core | Rotate long-lived policy CLI tokens in staging to confirm new scope set before freezing release 2025.10. | 2025-10-29 | +| DevOps Guild | Update automation secrets (CI/CD, offline kit) to point at the regenerated `policy-cli` credentials. | Sprint 23 stand-up | +| Docs Guild | Fold the broader scope matrix refresh into AUTH-POLICY-23-003 once the dual-approval workflow lands. | Blocked on AUTH-POLICY-23-002 | diff --git a/docs/updates/2025-10-27-task-packs-docs.md b/docs/implplan/archived/updates/2025-10-27-task-packs-docs.md similarity index 99% rename from docs/updates/2025-10-27-task-packs-docs.md rename to docs/implplan/archived/updates/2025-10-27-task-packs-docs.md index f479a5b11..e48c418df 100644 --- a/docs/updates/2025-10-27-task-packs-docs.md +++ b/docs/implplan/archived/updates/2025-10-27-task-packs-docs.md @@ -1,15 +1,15 @@ -# Docs Guild Update — Task Pack Docs (2025-10-27) - -- Added Task Pack core documentation set: - - `/docs/task-packs/spec.md` - - `/docs/task-packs/authoring-guide.md` - - `/docs/task-packs/registry.md` - - `/docs/task-packs/runbook.md` - - `/docs/security/pack-signing-and-rbac.md` +# Docs Guild Update — Task Pack Docs (2025-10-27) + +- Added Task Pack core documentation set: + - `/docs/task-packs/spec.md` + - `/docs/task-packs/authoring-guide.md` + - `/docs/task-packs/registry.md` + - `/docs/task-packs/runbook.md` + - `/docs/security/pack-signing-and-rbac.md` - `/docs/modules/cli/operations/release-and-packaging.md` -- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks. -- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement). -- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm). -- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds. - +- Each doc includes imposed-rule reminder, compliance checklist, and cross-links to Task Runner, Packs Registry, CLI release tasks. +- Created asset staging instructions at `docs/assets/ui/tours/README.md` (shared with CLI enablement). +- Circulated spec + authoring guide links to Task Runner, Packs Registry, Authority, and DevOps guild channels for technical review (2025-10-27). Target follow-up review once CLI parity tasks (`CLI-PACKS-42-001`, `CLI-PACKS-43-001`) land; tentative sync held for 2025-11-03 (Docs Guild to confirm). +- Sprint tracker `DOCS-PACKS-43-001` marked DOING→DONE; follow-up reviews scheduled with Task Runner and Security guilds. + Artifacts: [Spec](../task-packs/spec.md), [Authoring guide](../task-packs/authoring-guide.md), [Registry](../task-packs/registry.md), [Runbook](../task-packs/runbook.md), [Signing/RBAC](../security/pack-signing-and-rbac.md), [CLI release runbook](../modules/cli/operations/release-and-packaging.md). diff --git a/docs/updates/2025-10-28-docs-guild.md b/docs/implplan/archived/updates/2025-10-28-docs-guild.md similarity index 98% rename from docs/updates/2025-10-28-docs-guild.md rename to docs/implplan/archived/updates/2025-10-28-docs-guild.md index 5d4954b19..94ce5f862 100644 --- a/docs/updates/2025-10-28-docs-guild.md +++ b/docs/implplan/archived/updates/2025-10-28-docs-guild.md @@ -1,26 +1,26 @@ -# Docs Guild Update — 2025-10-28 - -## Console security posture draft - -- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist. -- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120 s OpTok, 300 s fresh-auth window) and confirm scope bundles before closing the sprint task. -- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`). - -## Console CLI parity matrix - -- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`). -- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot. - -## Accessibility refresh - -- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance. -- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102. - -Artifacts: - -- Doc: `/docs/security/console-security.md` -- Doc: `/docs/cli-vs-ui-parity.md` -- Doc: `/docs/accessibility.md` -- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE) - -cc: `@authority-core`, `@security-guild`, `@docs-guild` +# Docs Guild Update — 2025-10-28 + +## Console security posture draft + +- Published `docs/security/console-security.md` covering console OIDC/DPoP flow, scope map, fresh-auth sequence, CSP defaults, evidence handling, and monitoring checklist. +- Authority owners (`AUTH-CONSOLE-23-003`) to verify `/fresh-auth` token semantics (120 s OpTok, 300 s fresh-auth window) and confirm scope bundles before closing the sprint task. +- Security Guild requested to execute the compliance checklist in §9 and record sign-off in SPRINT 23 log once alerts/dashboards are wired (metrics references: `ui_request_duration_seconds`, `ui_dpop_failure_total`, Grafana board `console-security.json`). + +## Console CLI parity matrix + +- Added `/docs/cli-vs-ui-parity.md` with feature-level status tracking (✅/🟡/🟩). Pending commands reference CLI backlog (`CLI-EXPORT-35-001`, `CLI-POLICY-23-005`, `CONSOLE-DOC-23-502`). +- DevEx/CLI Guild to wire parity CI workflow when CLI downloads commands ship; Downloads workspace already links to the forthcoming parity report slot. + +## Accessibility refresh + +- Published `/docs/accessibility.md` describing keyboard flows, screen-reader behaviour, colour tokens, testing rig (Storybook axe, Playwright a11y), and offline guidance. +- Accessibility Guild (CONSOLE-QA-23-402) to log the next Playwright a11y sweep results against the new checklist; design tokens follow-up tracked via CONSOLE-FEAT-23-102. + +Artifacts: + +- Doc: `/docs/security/console-security.md` +- Doc: `/docs/cli-vs-ui-parity.md` +- Doc: `/docs/accessibility.md` +- Sprint tracker: corresponding sprint file `docs/implplan/SPRINT_*.md` (DOCS-CONSOLE-23-012 now DONE) + +cc: `@authority-core`, `@security-guild`, `@docs-guild` diff --git a/docs/updates/2025-10-29-export-center-provenance.md b/docs/implplan/archived/updates/2025-10-29-export-center-provenance.md similarity index 98% rename from docs/updates/2025-10-29-export-center-provenance.md rename to docs/implplan/archived/updates/2025-10-29-export-center-provenance.md index 63dc98f17..5b258c41c 100644 --- a/docs/updates/2025-10-29-export-center-provenance.md +++ b/docs/implplan/archived/updates/2025-10-29-export-center-provenance.md @@ -1,9 +1,9 @@ -# 2025-10-29 – Export Center provenance/signing doc - -## Summary -- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist. -- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling. - -## Follow-ups -- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary. -- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section. +# 2025-10-29 – Export Center provenance/signing doc + +## Summary +- Authored `docs/modules/export-center/provenance-and-signing.md`, covering manifest/provenance artefacts, cosign/SLSA signing pipeline, verification workflows (CLI/CI/offline), and compliance checklist. +- Cross-linked the new guide from the docs index (`docs/README.md`) and referenced outstanding CLI automation (`CLI-EXPORT-37-001`) to keep verification guidance aligned with upcoming tooling. + +## Follow-ups +- [ ] Revisit once `CLI-EXPORT-37-001` lands to confirm command names/flags and update the verification section if necessary. +- [ ] Sync with DevOps (`DEVOPS-EXPORT-37-001`) after dashboards/alerts ship to embed direct links in the failure handling section. diff --git a/docs/updates/2025-10-29-notify-docs.md b/docs/implplan/archived/updates/2025-10-29-notify-docs.md similarity index 98% rename from docs/updates/2025-10-29-notify-docs.md rename to docs/implplan/archived/updates/2025-10-29-notify-docs.md index 3d586cd24..962d0c1a8 100644 --- a/docs/updates/2025-10-29-notify-docs.md +++ b/docs/implplan/archived/updates/2025-10-29-notify-docs.md @@ -1,10 +1,10 @@ -# 2025-10-29 – Notifications Studio docs sync prep - -## Summary -- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39. -- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge. -- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas. - -## Follow-ups -- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details. -- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised. +# 2025-10-29 – Notifications Studio docs sync prep + +## Summary +- Published Notifications Studio overview (`notifications/overview.md`) and architecture dossier (`notifications/architecture.md`), complementing the rules/templates/digests deep dives landed earlier in Sprint 39. +- Captured action items to validate connector metadata, quiet-hours semantics, and simulation endpoints once `NOTIFY-SVC-39-001..004` merge. +- Alerted Notifications Service Guild that documentation handoff is pending those feature drops; ready to iterate as soon as the implementation surfaces schemas. + +## Follow-ups +- [ ] Review merged notifier correlation/quiet-hours work (`NOTIFY-SVC-39-001..004`) and refresh overview + architecture docs with any new persistence/API details. +- [ ] Coordinate with DevOps dashboards work (`DEVOPS-NOTIFY-39-002`) to document alert references once metrics names are finalised. diff --git a/docs/updates/2025-10-29-scheduler-policy-doc-refresh.md b/docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md similarity index 100% rename from docs/updates/2025-10-29-scheduler-policy-doc-refresh.md rename to docs/implplan/archived/updates/2025-10-29-scheduler-policy-doc-refresh.md diff --git a/docs/updates/2025-10-30-devops-governance.md b/docs/implplan/archived/updates/2025-10-30-devops-governance.md similarity index 100% rename from docs/updates/2025-10-30-devops-governance.md rename to docs/implplan/archived/updates/2025-10-30-devops-governance.md diff --git a/docs/updates/2025-10-31-console-security-refresh.md b/docs/implplan/archived/updates/2025-10-31-console-security-refresh.md similarity index 98% rename from docs/updates/2025-10-31-console-security-refresh.md rename to docs/implplan/archived/updates/2025-10-31-console-security-refresh.md index 7ad84a933..c2e63c1aa 100644 --- a/docs/updates/2025-10-31-console-security-refresh.md +++ b/docs/implplan/archived/updates/2025-10-31-console-security-refresh.md @@ -1,12 +1,12 @@ -# 2025-10-31 — Console Security Docs Refresh - -## Summary -- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour. -- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly. -- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations. -- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts. - -## Impact -- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers. -- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off. +# 2025-10-31 — Console Security Docs Refresh + +## Summary +- Documented the new Authority `/console` endpoints (`/tenants`, `/profile`, `/token/introspect`) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour. +- Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly. +- Updated Console security guidance to cover the newly issued `orch:read` scope and clarified session inactivity expectations. +- Annotated `authority.yaml.sample` and the Authority ops runbook so operators forward `X-Stella-Tenant` and understand fresh-auth prompts. + +## Impact +- Console release notes now reference the dedicated `/console` endpoints and their audit identifiers. +- Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off. - Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access. \ No newline at end of file diff --git a/docs/backlog/2025-10-cleanup.md b/docs/implplan/archived/updates/2025-10-cleanup.md similarity index 100% rename from docs/backlog/2025-10-cleanup.md rename to docs/implplan/archived/updates/2025-10-cleanup.md diff --git a/docs/updates/2025-11-01-orch-admin-scope.md b/docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md similarity index 100% rename from docs/updates/2025-11-01-orch-admin-scope.md rename to docs/implplan/archived/updates/2025-11-01-orch-admin-scope.md diff --git a/docs/updates/2025-11-02-pack-scope-profiles.md b/docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md similarity index 100% rename from docs/updates/2025-11-02-pack-scope-profiles.md rename to docs/implplan/archived/updates/2025-11-02-pack-scope-profiles.md diff --git a/docs/notes/2025-11-03-authority-plugin-ldap-review.md b/docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md similarity index 100% rename from docs/notes/2025-11-03-authority-plugin-ldap-review.md rename to docs/implplan/archived/updates/2025-11-03-authority-plugin-ldap-review.md diff --git a/docs/updates/2025-11-03-vuln-explorer-access-controls.md b/docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md similarity index 100% rename from docs/updates/2025-11-03-vuln-explorer-access-controls.md rename to docs/implplan/archived/updates/2025-11-03-vuln-explorer-access-controls.md diff --git a/docs/updates/2025-11-05-excitor-consensus-beta.md b/docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md similarity index 100% rename from docs/updates/2025-11-05-excitor-consensus-beta.md rename to docs/implplan/archived/updates/2025-11-05-excitor-consensus-beta.md diff --git a/docs/updates/2025-11-07-concelier-advisory-chunks.md b/docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md similarity index 100% rename from docs/updates/2025-11-07-concelier-advisory-chunks.md rename to docs/implplan/archived/updates/2025-11-07-concelier-advisory-chunks.md diff --git a/docs/updates/2025-11-09-authority-ldap-plugin.md b/docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md similarity index 100% rename from docs/updates/2025-11-09-authority-ldap-plugin.md rename to docs/implplan/archived/updates/2025-11-09-authority-ldap-plugin.md diff --git a/docs/updates/2025-11-12-notify-attestation-templates.md b/docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md similarity index 100% rename from docs/updates/2025-11-12-notify-attestation-templates.md rename to docs/implplan/archived/updates/2025-11-12-notify-attestation-templates.md diff --git a/docs/implplan/archived/SPRINT_100_identity_signing.md b/docs/implplan/archived/updates/SPRINT_100_identity_signing.md similarity index 100% rename from docs/implplan/archived/SPRINT_100_identity_signing.md rename to docs/implplan/archived/updates/SPRINT_100_identity_signing.md diff --git a/docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md b/docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md similarity index 100% rename from docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md rename to docs/implplan/archived/updates/SPRINT_110_ingestion_evidence_2025-11-13.md diff --git a/docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md b/docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md similarity index 94% rename from docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md rename to docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md index 2fc2889db..6e3dedf34 100644 --- a/docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md +++ b/docs/implplan/archived/updates/SPRINT_125_mirror_2025-11-13.md @@ -15,8 +15,8 @@ MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create|verify` commands wi MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. Dependencies: MIRROR-CRT-56-002, EXPORT-OBS-54-001. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator) -If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md +If all tasks are done - read next sprint section - SPRINT_0120_0000_0001_policy_reasoning.md > 2025-11-04: AIAI-31-004A DONE – WebService/Worker wiring plus filesystem queue operational; metrics/logs added; tests executed via `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj --no-restore`. -> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata. \ No newline at end of file +> 2025-11-04: AIAI-31-006 DONE – REST endpoints enforce scope headers, apply rate limits, sanitize prompts through guardrails, and enqueue execution with cached metadata. diff --git a/docs/implplan/archived/SPRINT_130_scanner_surface.md b/docs/implplan/archived/updates/SPRINT_130_scanner_surface.md similarity index 100% rename from docs/implplan/archived/SPRINT_130_scanner_surface.md rename to docs/implplan/archived/updates/SPRINT_130_scanner_surface.md diff --git a/docs/implplan/archived/SPRINT_137_scanner_gap_design.md b/docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md similarity index 100% rename from docs/implplan/archived/SPRINT_137_scanner_gap_design.md rename to docs/implplan/archived/updates/SPRINT_137_scanner_gap_design.md diff --git a/docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md b/docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md similarity index 100% rename from docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md rename to docs/implplan/archived/updates/SPRINT_300_documentation_process_2025-11-13.md diff --git a/docs/implplan/archived/SPRINT_301_docs_tasks_md_i_2025-11-13.md b/docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md similarity index 100% rename from docs/implplan/archived/SPRINT_301_docs_tasks_md_i_2025-11-13.md rename to docs/implplan/archived/updates/SPRINT_301_docs_tasks_md_i_2025-11-13.md diff --git a/docs/implplan/archived/tasks.md b/docs/implplan/archived/updates/tasks.md similarity index 100% rename from docs/implplan/archived/tasks.md rename to docs/implplan/archived/updates/tasks.md diff --git a/docs/implplan/tasks-all.md b/docs/implplan/tasks-all.md index 234f325ed..37a44dd4b 100644 --- a/docs/implplan/tasks-all.md +++ b/docs/implplan/tasks-all.md @@ -9,7 +9,7 @@ | AIRGAP-TIME-CONTRACT-1501 | TODO | | SPRINT_150_mirror_time | AirGap Time Guild | | — | — | ATMI0102 | | EXPORT-MIRROR-ORCH-1501 | TODO | | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild | | — | — | ATMI0102 | | AIAI-31-007 | DONE | 2025-11-06 | SPRINT_111_advisoryai | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 | -| LEDGER-29-006 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 | +| LEDGER-29-006 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 | | CARTO-GRAPH-21-002 | TODO | | SPRINT_113_concelier_ii | Cartographer Guild | src/Cartographer/Contracts | ATLN0101 approvals | Task #1 schema freeze | CAGR0101 | | SURFACE-FS-01 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 | | SURFACE-FS-02 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 | @@ -32,9 +32,9 @@ | 24-003 | DOING | 2025-11-09 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 | | 24-004 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 | | 24-005 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 | -| 29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 | -| 29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 | -| 29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 | +| 29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 | +| 29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 | +| 29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 | | 30-001 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | — | — | PLVL0102 | | 30-002 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-001 | VEXLENS-30-001 | PLVL0102 | | 30-003 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · Issuer Directory Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-002 | VEXLENS-30-002 | PLVL0102 | @@ -48,7 +48,7 @@ | 30-011 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · DevOps Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-010 | VEXLENS-30-010 | PLVL0103 | | 31-008 | TODO | | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | AIAI-31-006; AIAI-31-007 | AIAI-31-006; AIAI-31-007 | ADAI0101 | | 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 | -| 34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 | +| 34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 | | 401-004 | TODO | | SPRINT_401_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Signals facts stable (SGSI0101) | RPRC0101 | | 41-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | — | ORTR0101 | | 44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 | @@ -61,7 +61,7 @@ | 51-002 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | OBS-50 baselines | TLTY0101 | | 54-001 | TODO | | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | PROGRAM-STAFF-1001 | AGCO0101 | | 56-001 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | SGSI0101 provenance | TLTY0101 | -| 58 series | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 | +| 58 series | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 | | 61-001 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 | | 61-002 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | 61-001 | 61-001 | APIG0101 | | 62-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | APIG0101 outputs | APIG0101 outputs | DEVL0101 | @@ -940,14 +940,14 @@ | EXCITITOR-AIAI-31-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Observability Guild | | Telemetry/guardrail metrics follow chunk API. | EXCITITOR-AIAI-31-002 | EXAI0101 | | EXCITITOR-AIAI-31-004 | TODO | | SPRINT_110_ingestion_evidence | Docs Guild · Excititor Guild | | Docs/OpenAPI alignment queued behind chunk API finalisation. | EXCITITOR-AIAI-31-002 | EXAI0101 | | EXCITITOR-AIRGAP-56 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Air-gap + connector parity depend on schema + attestation readiness. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 | -| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_119_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 | +| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 | | EXCITITOR-AIRGAP-57 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same as -56 plus Evidence Locker | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 | -| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_119_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 | +| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 | | EXCITITOR-AIRGAP-58 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same upstream | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 | -| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_119_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 | +| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 | | EXCITITOR-ATTEST-01-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild | | Attestation payload ordering awaiting sequencing session. | EXCITITOR-AIAI-31-002; ELOCKER-CONTRACT-2001 | EXAT0101 | -| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 | -| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 | +| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 | +| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 | | EXCITITOR-CONN-SUSE-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (SUSE connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | DONE (2025-11-09) – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002; EXCITITOR-POLICY-01-001 | EXCN0101 | | EXCITITOR-CONN-TRUST-01-001 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | ATTEST-PLAN-2001 | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXCN0101 | | EXCITITOR-CONN-UBUNTU-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (Ubuntu connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | DONE (2025-11-09) – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002 | EXCN0101 | @@ -1143,17 +1143,17 @@ | KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 | | KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 | | LATTICE-401-023 | TODO | | SPRINT_401_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 | -| LEDGER-29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 | -| LEDGER-29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 | -| LEDGER-29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 | -| LEDGER-34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 | -| LEDGER-AIRGAP-56 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 | -| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 | -| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 | -| LEDGER-AIRGAP-57 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 | -| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 | -| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 | -| LEDGER-ATTEST-73-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 | +| LEDGER-29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 | +| LEDGER-29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 | +| LEDGER-29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 | +| LEDGER-34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 | +| LEDGER-AIRGAP-56 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 | +| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 | +| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 | +| LEDGER-AIRGAP-57 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 | +| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 | +| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 | +| LEDGER-ATTEST-73-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 | | LEDGER-ATTEST-73-002 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status | LEDGER-ATTEST-73-001 | PLLG0102 | | LEDGER-EXPORT-35-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | — | PLLG0101 | | LEDGER-OAS-61-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | — | PLLG0101 | @@ -2228,7 +2228,7 @@ | AIRGAP-TIME-CONTRACT-1501 | TODO | | SPRINT_150_mirror_time | AirGap Time Guild | | — | — | ATMI0102 | | EXPORT-MIRROR-ORCH-1501 | TODO | | SPRINT_150_mirror_orch | Exporter Guild · CLI Guild | | — | — | ATMI0102 | | AIAI-31-007 | DONE | 2025-11-06 | SPRINT_111_advisoryai | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 | -| LEDGER-29-006 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 | +| LEDGER-29-006 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | | — | — | PLLG0101 | | CARTO-GRAPH-21-002 | TODO | | SPRINT_113_concelier_ii | Cartographer Guild | src/Cartographer/Contracts | ATLN0101 approvals | Task #1 schema freeze | CAGR0101 | | SURFACE-FS-01 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 | | SURFACE-FS-02 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | — | — | SCSS0101 | @@ -2251,9 +2251,9 @@ | 24-003 | DOING | 2025-11-09 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-002 + provenance enrichment | 24-002 + provenance enrichment | SGSI0101 | | 24-004 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | Authority scopes + 24-003 | Authority scopes + 24-003 | SGSI0101 | | 24-005 | BLOCKED | 2025-10-27 | SPRINT_140_runtime_signals | Signals Guild | src/Signals/StellaOps.Signals | 24-004 scoring outputs | 24-004 scoring outputs | SGSI0101 | -| 29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 | -| 29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 | -| 29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 | +| 29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · Observability Guild | src/Findings/StellaOps.Findings.Ledger | LEDGER-29-006 | LEDGER-29-006 | PLLG0104 | +| 29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · QA Guild | src/Findings/StellaOps.Findings.Ledger | 29-007 | LEDGER-29-007 | PLLG0104 | +| 29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · DevOps Guild | src/Findings/StellaOps.Findings.Ledger | 29-008 | LEDGER-29-008 | PLLG0104 | | 30-001 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | — | — | PLVL0102 | | 30-002 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-001 | VEXLENS-30-001 | PLVL0102 | | 30-003 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · Issuer Directory Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-002 | VEXLENS-30-002 | PLVL0102 | @@ -2267,7 +2267,7 @@ | 30-011 | TODO | | SPRINT_129_policy_reasoning | VEX Lens Guild · DevOps Guild | src/VexLens/StellaOps.VexLens | VEXLENS-30-010 | VEXLENS-30-010 | PLVL0103 | | 31-008 | TODO | | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | AIAI-31-006; AIAI-31-007 | AIAI-31-006; AIAI-31-007 | ADAI0101 | | 31-009 | DONE | 2025-11-12 | SPRINT_110_ingestion_evidence | Advisory AI Guild | src/AdvisoryAI/StellaOps.AdvisoryAI | — | — | ADAI0101 | -| 34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 | +| 34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | 29-009 | LEDGER-29-009 | PLLG0104 | | 401-004 | TODO | | SPRINT_401_reachability_evidence_chain | Replay Core Guild | `src/__Libraries/StellaOps.Replay.Core` | Signals facts stable (SGSI0101) | Signals facts stable (SGSI0101) | RPRC0101 | | 41-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | — | — | ORTR0101 | | 44-001 | TODO | | SPRINT_501_ops_deployment_i | Deployment Guild · DevEx Guild (ops/deployment) | ops/deployment | — | — | DVDO0103 | @@ -2280,7 +2280,7 @@ | 51-002 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild · Security Guild | src/Telemetry/StellaOps.Telemetry.Core | OBS-50 baselines | OBS-50 baselines | TLTY0101 | | 54-001 | TODO | | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | | Await PGMI0101 staffing confirmation | PROGRAM-STAFF-1001 | AGCO0101 | | 56-001 | TODO | | SPRINT_170_notifications_telemetry | Telemetry Core Guild · Observability Guild | src/Telemetry/StellaOps.Telemetry.Core | SGSI0101 provenance | SGSI0101 provenance | TLTY0101 | -| 58 series | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 | +| 58 series | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | src/Findings/StellaOps.Findings.Ledger | | | PLLG0102 | | 61-001 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | — | — | APIG0101 | | 61-002 | TODO | | SPRINT_511_api | API Governance Guild | src/Api/StellaOps.Api.Governance | 61-001 | 61-001 | APIG0101 | | 62-001 | TODO | | SPRINT_206_devportal | DevPortal Guild | src/DevPortal/StellaOps.DevPortal.Site | APIG0101 outputs | APIG0101 outputs | DEVL0101 | @@ -3161,14 +3161,14 @@ | EXCITITOR-AIAI-31-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Observability Guild | | Telemetry/guardrail metrics follow chunk API. | EXCITITOR-AIAI-31-002 | EXAI0101 | | EXCITITOR-AIAI-31-004 | TODO | | SPRINT_110_ingestion_evidence | Docs Guild · Excititor Guild | | Docs/OpenAPI alignment queued behind chunk API finalisation. | EXCITITOR-AIAI-31-002 | EXAI0101 | | EXCITITOR-AIRGAP-56 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Air-gap + connector parity depend on schema + attestation readiness. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 | -| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_119_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 | +| EXCITITOR-AIRGAP-56-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Wire mirror bundle ingestion paths that preserve upstream digests, bundle IDs, and provenance metadata exactly so offline Advisory-AI/Lens deployments can replay evidence with AOC parity. | EXCITITOR-AIRGAP-56 | EXAG0101 | | EXCITITOR-AIRGAP-57 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same as -56 plus Evidence Locker | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 | -| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_119_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 | +| EXCITITOR-AIRGAP-57-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor AirGap Policy Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | src/Excititor/__Libraries/StellaOps.Excititor.Core | Enforce sealed-mode policies that disable external connectors, emit actionable remediation errors, and record staleness annotations that Advisory AI can surface as “evidence freshness” signals. Depends on EXCITITOR-AIRGAP-56-001. | EXCITITOR-AIRGAP-57 | EXAG0101 | | EXCITITOR-AIRGAP-58 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | Same upstream | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXAG0101 | -| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_119_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 | +| EXCITITOR-AIRGAP-58-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Core + Evidence Locker Guilds | src/Excititor/__Libraries/StellaOps.Excititor.Core | Package tenant-scoped VEX evidence (raw JSON, normalization diff, provenance) into portable bundles tied to timeline events so Advisory AI can hydrate contexts in sealed environments. Depends on EXCITITOR-AIRGAP-57-001. | EXCITITOR-AIRGAP-58 | EXAG0101 | | EXCITITOR-ATTEST-01-003 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild | | Attestation payload ordering awaiting sequencing session. | EXCITITOR-AIAI-31-002; ELOCKER-CONTRACT-2001 | EXAT0101 | -| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 | -| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_119_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 | +| EXCITITOR-ATTEST-73-001 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Emit attestation payloads that capture supplier identity, justification summary, and scope metadata so downstream Lens/Policy jobs can chain trust without Excititor interpreting the evidence. Depends on EXCITITOR-ATTEST-01-003. | EXCITITOR-ATTEST-01-003 | EXAT0101 | +| EXCITITOR-ATTEST-73-002 | TODO | | SPRINT_0119_0001_0001_excititor_i | Excititor Guild | src/Excititor/__Libraries/StellaOps.Excititor.Core | Provide APIs that link attestation IDs back to observation/linkset/product tuples, enabling Advisory AI to cite provenance without any derived verdict. Depends on EXCITITOR-ATTEST-73-001. | EXCITITOR-ATTEST-73-001 | EXAT0101 | | EXCITITOR-CONN-SUSE-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (SUSE connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub | DONE (2025-11-09) – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002; EXCITITOR-POLICY-01-001 | EXCN0101 | | EXCITITOR-CONN-TRUST-01-001 | TODO | | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | | ATTEST-PLAN-2001 | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | EXCN0101 | | EXCITITOR-CONN-UBUNTU-01-003 | TODO | | SPRINT_120_excititor_ii | Excititor Guild (Ubuntu connector) | src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF | DONE (2025-11-09) – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002 | EXCN0101 | @@ -3364,17 +3364,17 @@ | KMS-73-001 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | AWS/GCP KMS drivers landed with digest-first signing, metadata caching, config samples, and docs/tests green. | KMSI0102 | | KMS-73-002 | DONE (2025-11-03) | 2025-11-03 | SPRINT_100_identity_signing | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms) | src/__Libraries/StellaOps.Cryptography.Kms | PKCS#11 + FIDO2 drivers shipped (deterministic digesting, authenticator factories, DI extensions) with docs + xUnit fakes covering sign/verify/export flows. | FIDO2 | KMSI0102 | | LATTICE-401-023 | TODO | | SPRINT_401_reachability_evidence_chain | Scanner Guild · Policy Guild | `docs/reachability/lattice.md`, `docs/modules/scanner/architecture.md`, `src/Scanner/StellaOps.Scanner.WebService` | Update reachability/lattice docs + examples. | GRSC0101 & RBRE0101 | LEDG0101 | -| LEDGER-29-007 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 | -| LEDGER-29-008 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 | -| LEDGER-29-009 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 | -| LEDGER-34-101 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 | -| LEDGER-AIRGAP-56 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 | -| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 | -| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 | -| LEDGER-AIRGAP-57 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 | -| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 | -| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 | -| LEDGER-ATTEST-73-001 | TODO | | SPRINT_120_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 | +| LEDGER-29-007 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild (`src/Findings/StellaOps.Findings.Ledger`) | src/Findings/StellaOps.Findings.Ledger | Instrument metrics | LEDGER-29-006 | PLLG0101 | +| LEDGER-29-008 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + QA Guild | src/Findings/StellaOps.Findings.Ledger | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant | LEDGER-29-007 | PLLG0101 | +| LEDGER-29-009 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + DevOps Guild | src/Findings/StellaOps.Findings.Ledger | Provide deployment manifests | LEDGER-29-008 | PLLG0101 | +| LEDGER-34-101 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries | LEDGER-29-009 | PLLG0101 | +| LEDGER-AIRGAP-56 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Guilds | | AirGap ledger schema. | PLLG0102 | PLLG0102 | +| LEDGER-AIRGAP-56-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild | src/Findings/StellaOps.Findings.Ledger | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles | LEDGER-AIRGAP-56 | PLLG0102 | +| LEDGER-AIRGAP-56-002 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger + AirGap Time Guild | src/Findings/StellaOps.Findings.Ledger | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging | LEDGER-AIRGAP-56-001 | PLLG0102 | +| LEDGER-AIRGAP-57 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild · AirGap Guilds · Evidence Locker Guild | | — | — | PLLG0102 | +| LEDGER-AIRGAP-57-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Evidence Locker Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works | LEDGER-AIRGAP-56-002 | PLLG0102 | +| LEDGER-AIRGAP-58-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, AirGap Controller Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Emit timeline events for bundle import impacts | LEDGER-AIRGAP-57-001 | PLLG0102 | +| LEDGER-ATTEST-73-001 | TODO | | SPRINT_0120_0000_0001_policy_reasoning | Findings Ledger Guild, Attestor Service Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Persist pointers from findings to verification reports and attestation envelopes for explainability | — | PLLG0102 | | LEDGER-ATTEST-73-002 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Enable search/filter in findings projections by verification result and attestation status | LEDGER-ATTEST-73-001 | PLLG0102 | | LEDGER-EXPORT-35-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata | — | PLLG0101 | | LEDGER-OAS-61-001 | TODO | | SPRINT_121_policy_reasoning | Findings Ledger Guild, API Contracts Guild / src/Findings/StellaOps.Findings.Ledger | src/Findings/StellaOps.Findings.Ledger | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples | — | PLLG0101 | diff --git a/docs/product-advisories/15-Nov-2026 - embedded in-toto provenance events.md b/docs/product-advisories/15-Nov-2026 - embedded in-toto provenance events.md new file mode 100644 index 000000000..516464b81 --- /dev/null +++ b/docs/product-advisories/15-Nov-2026 - embedded in-toto provenance events.md @@ -0,0 +1,133 @@ +Here’s a compact, practical way to think about **embedding in‑toto provenance attestations directly inside your event payloads** (instead of sidecar files), so your vuln/build graph stays temporally consistent. + +--- + +### Why embed? + +* **Atomicity:** build → publish → scan → VEX decisions share one event ID and clock; no dangling sidecars. +* **Replayability:** the event stream alone reproduces state (great for offline kits/audits). +* **Causal joins:** vulnerability findings can cite the exact provenance that led to an image/digest. + +--- + +### Event shape (single, self‑contained envelope) + +```json +{ + "eventId": "01JDN2Q0YB8M…", + "eventType": "build.provenance.v1", + "occurredAt": "2025-11-13T10:22:31Z", + "subject": { + "artifactPurl": "pkg:docker/acme/api@sha256:…", + "digest": {"sha256": "…"} + }, + "provenance": { + "kind": "in-toto-provenance", + "dsse": { + "payloadType": "application/vnd.in-toto+json", + "payload": "", + "signatures": [{"keyid":"…","sig":"…"}] + }, + "transparency": { + "rekor": {"logIndex": 123456, "logID": "…", "entryUUID": "…"} + } + }, + "sig": { + "envelope": "dsse", + "alg": "Ed25519", + "bundle": { "certChain": ["…"], "timestamp": "…" } + }, + "meta": { + "builderId": "https://builder.stella-ops.local/gha", + "buildInvocationId": "gha-run-457812", + "slsa": {"level": 3} + } +} +``` + +**Notes** + +* `provenance.dsse.payload` holds the raw in‑toto Statement (Statement + Subject + Predicate). +* Keep both **artifact digest** (subject) and **statement subject** (inside payload) and verify they match on ingest. + +--- + +### DB model (Mongo-esque) + +* `events` collection: one doc per event (above schema). +* **Compound index:** `{ "subject.digest.sha256": 1, "occurredAt": 1 }` +* **Causal index:** `{ "meta.buildInvocationId": 1 }` +* **Uniq guard:** `{ "eventId": 1 } unique` + +--- + +### Ingest pipeline (deterministic) + +1. **Verify DSSE:** check signature, cert roots (or offline trust bundle). +2. **Validate Statement:** subject digests, builder ID, predicateType. +3. **Upsert artifact node:** keyed by digest; attach `lastProvenanceEventId`. +4. **Append event:** write once; never mutate (event‑sourced). +5. **Emit derived edges:** `(builderId) --built--> (artifact@digest)` with `occurredAt`. + +--- + +### Joining scans to provenance (temporal consistency) + +* When a scan event arrives, resolve the **latest provenance event with `occurredAt ≤ scan.occurredAt`** for the same digest. +* Store an edge `(artifact@digest) --scannedWith--> (scanner@version)` with a **pointer to the provenance eventId** used for policy. + +--- + +### Minimal .NET 10 contracts + +```csharp +public sealed record DsseEnvelope(string PayloadType, string Payload, IReadOnlyList Signatures); +public sealed record Provenance(string Kind, DsseEnvelope Dsse, Transparency? Transparency); +public sealed record EventSubject(string ArtifactPurl, Digest Digest); +public sealed record EventEnvelope( + string EventId, string EventType, DateTime OccurredAt, + EventSubject Subject, Provenance Provenance, SigMeta Sig, Meta Meta); + +public interface IEventVerifier { + ValueTask VerifyAsync(EventEnvelope ev, CancellationToken ct); +} +public interface IEventIngestor { + ValueTask IngestAsync(EventEnvelope ev, CancellationToken ct); // verify->validate->append->derive +} +``` + +--- + +### Policy hooks (VEX/Trust Algebra) + +* **Rule:** “Only trust findings if the scan’s referenced provenance has `builderId ∈ AllowedBuilders` and `SLSA ≥ 3` and `time(scan) − time(prov) ≤ 24h`.” +* **Effect:** drops stale/forged results and aligns all scoring to one timeline. + +--- + +### Migration from sidecars + +1. **Dual‑write** for one sprint: keep emitting sidecars, but also embed DSSE in events. +2. Add **backfill job**: wraps historical sidecars into `build.provenance.v1` events (preserve original timestamps). +3. Flip **consumers** (scoring/VEX) to **require `provenance` in the event**; keep sidecar reader only for legacy imports. + +--- + +### Failure & edge cases + +* **Oversized payloads:** gzip the DSSE payload; cap event body (e.g., 512 KB) and store overflow in `provenance.ref` (content‑addressed blob) while **hash‑linking** it in the event. +* **Multiple subjects:** keep the Statement intact; still key the event by the **primary digest** you care about, but validate all subjects. + +--- + +### Quick checklist to ship + +* [ ] Event schema & JSON schema with strict types (no additionalProperties). +* [ ] DSSE + in‑toto validators (offline trust bundles supported). +* [ ] Mongo indexes + append‑only writer. +* [ ] Temporal join in scanner consumer (≤ O(log n) via index). +* [ ] VEX rules referencing `event.meta` & `provenance.dsse`. +* [ ] Backfill task for legacy sidecars. +* [ ] Replay test: rebuild graph from events only → identical results. + +If you want, I can turn this into ready‑to‑drop **.proto + C# models**, plus a Mongo migration script and a tiny verifier service. diff --git a/docs/product-advisories/15-Nov-2026 - function-level vex explainability.md b/docs/product-advisories/15-Nov-2026 - function-level vex explainability.md new file mode 100644 index 000000000..7ef4637d0 --- /dev/null +++ b/docs/product-advisories/15-Nov-2026 - function-level vex explainability.md @@ -0,0 +1,103 @@ + + +Here’s a tight idea I think you’ll like: **make every VEX “non‑affected” verdict explain itself with provable, symbol‑level evidence**—not just “package X isn’t reachable,” but “function `Foo::bar()` (the vulnerable sink) is never called in any admissible execution of image Y,” backed by cryptographic provenance. + +--- + +# Why this matters (quickly) + +* **Trust**: Auditors and customers can verify why you suppressed a CVE. +* **Quiet scanner**: Fewer false alarms because decisions cite concrete call‑paths (or their absence). +* **Moat**: Competitors stop at file/package reachability; you show **function‑level** proof tied to in‑toto attestations. + +--- + +# Core concept (plain) + +Blend two things: + +1. **Deterministic symbol reachability** (per language): build minimal call graphs and mark whether the vulnerable symbol is callable from your app’s entrypoints. +2. **in‑toto‑anchored provenance**: sign the *inputs and reasoning* (rules, SBOM slice, call‑graph hash, evidence artifacts), so the verdict can be independently re‑verified. + +Result: each VEX decision is a **verifiable mini‑proof**. + +--- + +# What the evidence looks like (per CVE/component) + +* **Symbol set**: canonical IDs of vulnerable functions (e.g., `pkg@ver#Type::Method(sig)`). +* **Call‑graph digest**: hash of pruned call graph from app entrypoints to those symbols. +* **Evidence**: + + * Static: “No path from any entrypoint → {vuln symbols} (k=0).” + * Optional runtime: sampled traces (EventPipe/JFR/eBPF) show **0 hits** to symbols/guards. +* **Context**: build inputs (SBOM, lockfiles, compile units), framework models used, versions. +* **Attestation**: in‑toto/DSSE signed bundle with reproducible scan manifest. + +--- + +# Minimal prototype this week (Scanner reachability scorer) + +1. **Symbol mappers (MVP)** + + * .NET: read PDB + IL to enumerate `MethodDef` symbols; map NuGet pkg → assembly → methods. + * JVM: JAR index + method table (from ASM); map Maven coords → classes → methods. +2. **Entrypoint discovery** + + * Docker CMD/ENTRYPOINT → process launch → managed main(s) (ASP.NET Program.Main, Spring Boot main). +3. **Shallow call‑graph** (no fancy points‑to yet): + + * Direct calls + common framework handoffs (ASP.NET routing → controller; Spring @RequestMapping → handler). +4. **Vuln ↔ symbol alignment** + + * Heuristics: match GHSA/OSV “affected functions” or patch diff to infer symbol names; fallback to package‑scope verdict with a flag “symbol‑inferred: false”. +5. **Decision object** + + * `ReachabilityDecision.json` with: entrypoints, symbol set, path_count, notes, hashes. +6. **Attest** + + * Emit `reachability.intoto.jsonl` (subject = image digest + SBOM component + symbol digest). Cosign with your test key. +7. **VEX output** + + * OpenVEX statement reason: `component_not_present` or `vulnerable_code_not_in_execute_path` with `justification_url` → small HTML report (signed). + +--- + +# Data & schemas to add + +* `Scanner.Reachability/` + + * `SymbolIndex` (pkg → assemblies/classes/methods) + * `EntryPoints` (per image, normalized) + * `CallGraphPruned` (edges + hash) + * `Decision` (path_count, evidence, versions) +* `Authority` + + * Key management for DSSE; policy to **require** reachability evidence for “non‑affected”. + +--- + +# Language roadmap (fast win → harder) + +* **Week 1–2:** .NET + JVM shallow graphs + ASP.NET/Spring models. +* **Week 3–4:** Node/TS (TS compiler API), Go (SSA), Python (import graph + common web frameworks). +* **Stretch:** Rust/Swift (MIR/SIL summaries), native (symbols + coarse edges), Shell (exec chain). + +--- + +# Where to surface it (UX) + +* VEX details panel: “Non‑affected (0 call paths)” → expand → show entrypoints, collapsed edge list, trace hit‑counts, and “Verify attestation” button. +* CLI: `stella scan --explain CVE-XYZ --verify-attestation`. + +--- + +# Guardrails + +* If symbol mapping is uncertain, **do not** claim “non‑affected”; downgrade to “under review” with rationale. +* Cache symbol indexes per package version; keep the call‑graph pruned to entrypoint cones for speed. +* Everything reproducible: the **scan manifest** (feeds, rule versions, hashes) must recreate the same decision bit‑for‑bit. + +--- + +If you want, I can draft the exact C# namespaces, interfaces, and the OpenVEX + in‑toto payloads you can drop into `Scanner.Reachability` and `Authority.Attest`. diff --git a/docs/product-advisories/15-Nov-2026 - ipal serdica census excel import blueprint.md b/docs/product-advisories/15-Nov-2026 - ipal serdica census excel import blueprint.md new file mode 100644 index 000000000..150309963 --- /dev/null +++ b/docs/product-advisories/15-Nov-2026 - ipal serdica census excel import blueprint.md @@ -0,0 +1,488 @@ +Here is a complete, implementation-ready sketch you can drop into your solution and tune. + +I assume: + +* ASP.NET Core Web API (.NET 10). +* EF `DbContext` with `DbSet`. +* Excel via **ClosedXML** (clean API, MIT license, built on OpenXML). + +--- + +## 1. NuGet packages + +Add to the Web/API project: + +```bash +dotnet add package ClosedXML +dotnet add package DocumentFormat.OpenXml +``` + +--- + +## 2. File repository abstraction + +This matches your requirement: upload/download by `bucketId` + `fileId`, plus stream variants. + +```csharp +public interface IFileRepository +{ + // Uploads a file identified by bucketId + fileId from a Stream + Task UploadAsync( + string bucketId, + string fileId, + Stream content, + string contentType, + CancellationToken cancellationToken = default); + + // Uploads a file from an in-memory buffer + Task UploadAsync( + string bucketId, + string fileId, + byte[] content, + string contentType, + CancellationToken cancellationToken = default); + + // Downloads a file as a Stream (caller is responsible for disposing) + Task DownloadAsStreamAsync( + string bucketId, + string fileId, + CancellationToken cancellationToken = default); + + // Downloads a file as a byte[] buffer + Task DownloadAsBytesAsync( + string bucketId, + string fileId, + CancellationToken cancellationToken = default); +} +``` + +Example of a simple implementation over some `IFileStoreClient` (adjust to your FileStore API): + +```csharp +public sealed class FileStoreRepository : IFileRepository +{ + private readonly IFileStoreClient _client; + + public FileStoreRepository(IFileStoreClient client) + { + _client = client; + } + + public async Task UploadAsync( + string bucketId, + string fileId, + Stream content, + string contentType, + CancellationToken cancellationToken = default) + { + // Example – adapt to your real client + await _client.PutObjectAsync( + bucketId: bucketId, + objectId: fileId, + content: content, + contentType: contentType, + cancellationToken: cancellationToken); + } + + public async Task UploadAsync( + string bucketId, + string fileId, + byte[] content, + string contentType, + CancellationToken cancellationToken = default) + { + await using var ms = new MemoryStream(content, writable: false); + await UploadAsync(bucketId, fileId, ms, contentType, cancellationToken); + } + + public async Task DownloadAsStreamAsync( + string bucketId, + string fileId, + CancellationToken cancellationToken = default) + { + // Must return a readable Stream ready for ClosedXML + return await _client.GetObjectStreamAsync( + bucketId: bucketId, + objectId: fileId, + cancellationToken: cancellationToken); + } + + public async Task DownloadAsBytesAsync( + string bucketId, + string fileId, + CancellationToken cancellationToken = default) + { + await using var stream = await DownloadAsStreamAsync(bucketId, fileId, cancellationToken); + using var ms = new MemoryStream(); + await stream.CopyToAsync(ms, cancellationToken); + return ms.ToArray(); + } +} +``` + +Register in DI: + +```csharp +builder.Services.AddScoped(); +``` + +--- + +## 3. Import service for `PolCensusList` from Excel + +To keep the controller thin, put Excel parsing + EF into a service. + +Assumptions (adjust as needed): + +* The file is an `.xlsx` with a header row. +* Data starts at row 2. +* Columns are: + +| Column | Excel | Property | +| ------ | ----- | -------------- | +| A | 1 | CustPid | +| B | 2 | Gname | +| C | 3 | Sname | +| D | 4 | Fname | +| E | 5 | BirthDate | +| F | 6 | Gender | +| G | 7 | Bmi | +| H | 8 | Dependant | +| I | 9 | DependantOn | +| J | 10 | MemberAction | +| K | 11 | GrpCode | +| L | 12 | BeginDate | +| M | 13 | SrCustId | +| N | 14 | MemberPolicyId | +| O | 15 | MemberAnnexId | +| P | 16 | ErrMsg | + +Other fields (`SrPolicyId`, `SrAnnexId`, `FileId`, `Tstamp`) are taken from parameters/system. + +```csharp +using System.Globalization; +using ClosedXML.Excel; +using Microsoft.EntityFrameworkCore; + +public interface IPolCensusImportService +{ + Task ImportFromExcelAsync( + string bucketId, + string fileId, + decimal srPolicyId, + decimal srAnnexId, + CancellationToken cancellationToken = default); +} + +public sealed class PolCensusImportService : IPolCensusImportService +{ + private readonly SerdicaHealthContext _dbContext; + private readonly IFileRepository _fileRepository; + + public PolCensusImportService( + SerdicaHealthContext dbContext, + IFileRepository fileRepository) + { + _dbContext = dbContext; + _fileRepository = fileRepository; + } + + public async Task ImportFromExcelAsync( + string bucketId, + string fileId, + decimal srPolicyId, + decimal srAnnexId, + CancellationToken cancellationToken = default) + { + await using var stream = await _fileRepository.DownloadAsStreamAsync(bucketId, fileId, cancellationToken); + using var workbook = new XLWorkbook(stream); + var worksheet = workbook.Worksheets.First(); + + var now = DateTime.UtcNow; + var entities = new List(); + + const int headerRow = 1; + var firstDataRow = headerRow + 1; + + for (var row = firstDataRow; ; row++) + { + var rowRange = worksheet.Row(row); + if (rowRange.IsEmpty()) break; // Stop on first fully empty row + + // Minimal “empty row” check – no CustPid and no Name => stop + var custPidCell = rowRange.Cell(1); + var gnameCell = rowRange.Cell(2); + var snameCell = rowRange.Cell(3); + + if (custPidCell.IsEmpty() && gnameCell.IsEmpty() && snameCell.IsEmpty()) + { + break; + } + + var entity = new PolCensusList + { + // Non-null FK fields from parameters + SrPolicyId = srPolicyId, + SrAnnexId = srAnnexId, + + CustPid = custPidCell.GetString().Trim(), + Gname = gnameCell.GetString().Trim(), + Sname = snameCell.GetString().Trim(), + Fname = rowRange.Cell(4).GetString().Trim(), + BirthDate = GetDate(rowRange.Cell(5)), + Gender = rowRange.Cell(6).GetString().Trim(), + Bmi = GetDecimal(rowRange.Cell(7)), + Dependant = rowRange.Cell(8).GetString().Trim(), + DependantOn = rowRange.Cell(9).GetString().Trim(), + MemberAction = rowRange.Cell(10).GetString().Trim(), + GrpCode = rowRange.Cell(11).GetString().Trim(), + BeginDate = GetNullableDate(rowRange.Cell(12)), + SrCustId = GetNullableDecimal(rowRange.Cell(13)), + MemberPolicyId= GetNullableDecimal(rowRange.Cell(14)), + MemberAnnexId = GetNullableDecimal(rowRange.Cell(15)), + ErrMsg = rowRange.Cell(16).GetString().Trim(), + + // Audit / technical fields + Tstamp = now, + FileId = fileId, + + // Attr* left null for now – can be mapped later if needed + }; + + entities.Add(entity); + } + + await using var transaction = await _dbContext.Database.BeginTransactionAsync(cancellationToken); + try + { + await _dbContext.PolCensusLists.AddRangeAsync(entities, cancellationToken); + var affected = await _dbContext.SaveChangesAsync(cancellationToken); + await transaction.CommitAsync(cancellationToken); + return affected; + } + catch + { + await transaction.RollbackAsync(cancellationToken); + throw; + } + } + + private static DateTime GetDate(IXLCell cell) + { + if (cell.DataType == XLDataType.DateTime && + cell.GetDateTime() != default) + { + return cell.GetDateTime().Date; + } + + var raw = cell.GetString().Trim(); + if (string.IsNullOrEmpty(raw)) + throw new InvalidOperationException("BirthDate is required but empty."); + + // Try a few reasonable formats – extend if needed + var formats = new[] + { + "dd.MM.yyyy", + "dd/MM/yyyy", + "yyyy-MM-dd", + "M/d/yyyy", + }; + + if (DateTime.TryParseExact(raw, formats, + CultureInfo.InvariantCulture, + DateTimeStyles.AssumeLocal, + out var dt)) + { + return dt.Date; + } + + if (DateTime.TryParse(raw, CultureInfo.CurrentCulture, + DateTimeStyles.AssumeLocal, out var dt2)) + { + return dt2.Date; + } + + throw new FormatException($"Cannot parse date value '{raw}'."); + } + + private static DateTime? GetNullableDate(IXLCell cell) + { + if (cell.IsEmpty()) return null; + + if (cell.DataType == XLDataType.DateTime && + cell.GetDateTime() != default) + { + return cell.GetDateTime().Date; + } + + var raw = cell.GetString().Trim(); + if (string.IsNullOrEmpty(raw)) return null; + + var formats = new[] + { + "dd.MM.yyyy", + "dd/MM/yyyy", + "yyyy-MM-dd", + "M/d/yyyy", + }; + + if (DateTime.TryParseExact(raw, formats, + CultureInfo.InvariantCulture, + DateTimeStyles.AssumeLocal, + out var dt)) + { + return dt.Date; + } + + if (DateTime.TryParse(raw, CultureInfo.CurrentCulture, + DateTimeStyles.AssumeLocal, out var dt2)) + { + return dt2.Date; + } + + return null; + } + + private static decimal GetDecimal(IXLCell cell) + { + if (cell.IsEmpty()) return 0m; + + if (cell.DataType == XLDataType.Number) + { + return (decimal)cell.GetDouble(); + } + + var raw = cell.GetString().Trim(); + if (string.IsNullOrEmpty(raw)) return 0m; + + // Try invariant and current culture + if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.InvariantCulture, out var result)) + return result; + + if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.CurrentCulture, out result)) + return result; + + throw new FormatException($"Cannot parse decimal value '{raw}'."); + } + + private static decimal? GetNullableDecimal(IXLCell cell) + { + if (cell.IsEmpty()) return null; + + if (cell.DataType == XLDataType.Number) + { + return (decimal)cell.GetDouble(); + } + + var raw = cell.GetString().Trim(); + if (string.IsNullOrEmpty(raw)) return null; + + if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.InvariantCulture, out var result)) + return result; + + if (decimal.TryParse(raw, NumberStyles.Any, CultureInfo.CurrentCulture, out result)) + return result; + + return null; + } +} +``` + +Register the service: + +```csharp +builder.Services.AddScoped(); +``` + +--- + +## 4. API endpoint: import census data by `fileId` + +Controller for IPAL / Serdica health module: + +```csharp +using Microsoft.AspNetCore.Mvc; + +[ApiController] +[Route("api/health/census")] +public sealed class PolCensusController : ControllerBase +{ + private readonly IPolCensusImportService _importService; + + public PolCensusController(IPolCensusImportService importService) + { + _importService = importService; + } + + /// + /// Imports census members from an Excel file stored in FileStore. + /// + /// Logical bucket / container in FileStore (e.g. "ipal-serdica-census"). + /// Unique file identifier in FileStore. + /// Serdica policy id (FK for PolCensusList). + /// Serdica annex id (FK for PolCensusList). + [HttpPost("import/{bucketId}/{fileId}")] + public async Task ImportFromFile( + string bucketId, + string fileId, + [FromQuery] decimal srPolicyId, + [FromQuery] decimal srAnnexId, + CancellationToken cancellationToken) + { + var importedCount = await _importService.ImportFromExcelAsync( + bucketId, + fileId, + srPolicyId, + srAnnexId, + cancellationToken); + + return Ok(new + { + imported = importedCount, + fileId, + bucketId, + srPolicyId, + srAnnexId + }); + } +} +``` + +--- + +## 5. Optional: upload endpoint using `IFileRepository` + +If you want a simple upload entry point compatible with the repository: + +```csharp +[HttpPost("upload")] +public async Task UploadCensusFile( + [FromForm] IFormFile file, + [FromQuery] string bucketId, + CancellationToken cancellationToken) +{ + if (file == null || file.Length == 0) + return BadRequest("File is required."); + + var fileId = Guid.NewGuid().ToString("N"); + + await using var stream = file.OpenReadStream(); + await _fileRepository.UploadAsync( + bucketId, + fileId, + stream, + file.ContentType ?? "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + cancellationToken); + + return Ok(new { fileId, bucketId }); +} +``` + +--- + +If you tell me: + +* the exact Excel column layout you will get from IPAL / Serdica +* whether `CensusId` is sequence-generated in Oracle or must be populated in code, + +I can tighten the mapping + EF configuration so that it matches your schema 1:1 and is ready for production. diff --git a/docs/product-advisories/15-Nov-2026 - proof spine for explainable quiet alerts.md b/docs/product-advisories/15-Nov-2026 - proof spine for explainable quiet alerts.md new file mode 100644 index 000000000..9f6c3dc37 --- /dev/null +++ b/docs/product-advisories/15-Nov-2026 - proof spine for explainable quiet alerts.md @@ -0,0 +1,131 @@ + + +Here’s a compact, implementation‑ready blueprint to make your scanner’s results quiet, explainable, and auditable end‑to‑end. + +# Phase the “proof spine” + +1. **SBOM‑only → VEX‑ready → Attested** + +* **SBOM (now):** Generate SPDX 3.0.1 + CycloneDX 1.6 for every image/module. Include purls, CPE (if available), license IDs, source URIs, and build metadata. +* **VEX‑ready (next):** Normalize vuln inputs (OSV, GHSA, vendor feeds) to a single internal model; keep fields needed for VEX (status, justification, impact, action, timestamp, issuer). +* **Attest (then):** Emit **in‑toto/DSSE** attestations that bind: (a) SBOM digest, (b) ruleset version, (c) data sources & hashes, (d) VEX decisions. Log statement references in **Rekor** (or your mirror) for transparency. + +# Explainability path (per alert) + +For every surfaced finding, materialize: + +* **Origin SBOM node** → component@version (with purl/CPE) +* **Match rule** → which matcher hit (name+version, range, CPE heuristics, source trust) +* **VEX gate** → decision with justification (e.g., affected/not_affected, component_not_present, configuration_needed) +* **Reachability trace** → static (call graph path) and/or runtime (probe hits) to the vulnerable symbol(s) +* **Deterministic score** → numeric risk built from stable inputs (below) + Expose this as a single JSON object and a short, human‑readable proof block in the UI/CLI. + +# Smart‑Diff (incremental analysis) + +* **Change detector:** hash symbols/packages and dependency graphs; on new scans, diff against prior state. +* **Selective re‑analysis:** only re‑parse/re‑solve changed modules, lockfiles, or call‑graph regions. +* **Memoized match & reachability:** cache vuln matches and reachability slices per (component, version, framework‑model) key. + +# Scoring (quiet by design) + +Use stable, auditable inputs: + +* **Base:** CVSS v4.0 metrics (as provided by source), fall back to v3.1 if v4 missing. +* **Exploit maturity:** explicit flags when present (known exploited, PoC available, none). +* **Reachability boost/penalty:** function‑level confirmation > package‑level guess; runtime evidence > static‑only. +* **Compensating controls:** WAF/feature flags/sandboxing recorded as gates that reduce surfaced priority (but never erase provenance). + +# Minimal data contracts (copy‑paste into your code) + +**SBOM node (core):** + +```json +{ + "purl": "pkg:npm/lodash@4.17.21", + "hashes": [{"alg":"sha256","value":"..."}], + "licenses": ["MIT"], + "build": {"sourceUri":"git+https://...","commit":"..."}, + "attestations": [{"type":"intoto","subjectDigest":"sha256:..."}] +} +``` + +**Finding proof (per alert):** + +```json +{ + "id": "FND-abc123", + "component": {"purl":"pkg:maven/org.example/foo@1.2.3"}, + "vuln": {"id":"CVE-2024-XXXX","source":"OSV"}, + "matchRule": {"name":"purl-eq","details":{"range":"[1.2.0,1.2.5)"}}, + "vexGate": {"status":"affected","justification":"reachable_code_path"}, + "reachability": { + "staticPath": ["Controller.handle","Service.parse","lib/vulnFunc"], + "runtimeHits": [{"symbol":"lib/vulnFunc","count":37}] + }, + "score": {"base":7.1,"exploit":"poc","reach":"function","final":8.4}, + "provenance": { + "sbomDigest":"sha256:...", + "ruleset":"signals-1.4.2", + "feeds":[{"name":"OSV","etag":"..."}], + "attRef":"rekor:sha256:..." + } +} +``` + +# Services & where they live in Stella Ops + +* **Sbomer**: Syft‑backed generators (SPDX/CycloneDX) + DSSE signing. +* **Feedser/Concelier**: fetch & normalize vuln feeds (OSV/GHSA/vendor), maintain trust scores; “preserve‑prune source” rule stays. +* **Scanner.WebService**: orchestrates analyzers; run lattice algorithms here (per your standing rule). +* **Vexer/Excititor**: VEX issuance + policy evaluation (lattice gates). +* **Authority**: key management, DSSE signing, Rekor client (and mirror) endpoints. +* **Signals**: event‑sourced store for proofs, reachability artifacts, and scoring outputs. + +# Policies (tiny DSL sketch) + +```yaml +version: 1 +sources: + - id: osv + trust: 0.9 +gates: + - id: not-present + when: component.present == false + action: vex(status: not_affected, reason: component_not_present) + - id: unreachable + when: reachability.static == false and reachability.runtime == false + action: vex(status: not_affected, reason: vulnerable_code_not_in_execute_path) +scoring: + base: cvss.v4 or cvss.v3 + adjust: + - if: exploit.maturity in ["known_exploited","poc"] + add: 0.8 + - if: reachability.function_confirmed + add: 1.1 + - if: gate == "not-present" + subtract: 3.0 +``` + +# Attestations & transparency (pragmatic path) + +* **Produce** DSSE‑wrapped in‑toto statements for SBOM, ScanResult, and VEXBundle. +* **Record** statement digests in Rekor (or your **Proof‑Market** mirror) with pointers back to your artifact store. +* **Bundle** offline kits with SBOM+VEX+attestations and a mini‑Rekor log segment for air‑gapped audits. + +# UX: one‑screen truth + +* Table of findings with **Final Score**, a **“Why?”** button expanding the 5‑part proof chain, and **Fix** suggestions. +* Global toggles: *Show only reachable*, *Mute not‑affected*, *Show deltas* (Smart‑Diff), *Export VEX*. + +# “Done next” checklist + +* Wire Syft→SPDX/CycloneDX→DSSE emit → Rekor client. +* Normalize feeds to a single vuln model with trust weights. +* Implement **FindingProof** schema and persist it in Signals. +* Add **Symbolizer + per‑lang reachability** stubs (even minimal) to populate `reachability` fields. +* Ship VEX export (OpenVEX/CSAF) based on current gates. +* Add Smart‑Diff over SBOM + symbol graph hashes. +* Surface the full proof chain in UI/CLI. + +If you want, I can drop in concrete .NET 10 interfaces/classes for each component and a first pass of the Rekor/DSSE helpers next. diff --git a/docs/product-advisories/15-Nov-2026 - scanner roadmap with deterministic diff-aware rescans.md b/docs/product-advisories/15-Nov-2026 - scanner roadmap with deterministic diff-aware rescans.md new file mode 100644 index 000000000..c8654a6e7 --- /dev/null +++ b/docs/product-advisories/15-Nov-2026 - scanner roadmap with deterministic diff-aware rescans.md @@ -0,0 +1,102 @@ + + +Here’s a compact, plain‑English plan to make your scanner **faster, quieter, and auditor‑friendly** by (1) diff‑aware rescans and (2) unified binary+source reachability—both drop‑in for Stella Ops. + +# Deterministic, diff‑aware rescans (clean SBOM/VEX diffs) +**Goal:** Only recompute what changed; emit stable, minimal diffs reviewers can trust. + +**Core ideas** +- **Per‑layer SBOM artifacts (cacheable):** For each image layer `L#`, persist: + - `sbom-L#.cdx.json` (CycloneDX), `hash(L#)`, `toolchain-hash`, `feeds-hash`. + - **Symbol‑fingerprints** for each discovered file: `algo|path|size|mtime|xxh3|funcIDs[]`. +- **Slice recomputation:** On new image `I'`, match layers via hashes; for changed layers or files, recompute *only* their call‑graph slices and vuln joins. +- **Deterministic manifests:** Every scan writes a `scan.lock.json` (inputs, feed versions, rules, lattice policy hash, tool versions, clocks) so results are **replayable**. + +**Minimal data model (Mongo)** +- `scan_runs(_id, imageDigest, inputsHash, policyHash, feedsHash, startedAt, finishedAt, parentRunId?)` +- `layer_sboms(scanRunId, layerDigest, sbomCid, symbolIndexCid, layerHash)` +- `file_symbols(scanRunId, path, fileHash, funcIDs[], lang, size, mtime)` +- `diffs(fromRunId, toRunId, kind: 'sbom'|'vex'|'reachability', stats, patch)` (store JSON Patch) + +**Algorithm sketch** +1. Resolve base image ancestry → map `old layer digest ↔ new layer digest`. +2. For unchanged layers: reuse `layer_sboms` + `file_symbols`. +3. For changed/added files: re‑symbolize + re‑analyze; restrict call‑graph build to **impacted SCCs**. +4. Re‑join OSV/GHSA/vendor vulns → compute reachability deltas → emit **stable JSON Patch**. + +**CLI impact** +- `stella scan --deterministic --cache-dir ~/.stella/cache --emit-diff previousRunId` +- `stella diff --from --to --format jsonpatch|md` + +--- + +# Unified binary + source reachability (function‑level) +**Goal:** Decide “is the vulnerable function reachable/used here?” across native and managed code. + +**Extraction** +- **Binary symbolizers:** + - ELF: parse `.symtab`/`.dynsym`, DWARF (if present). + - Mach‑O/PE: export tables + DWARF/PDB (if present). + - Build **Canonical Symbol ID (CSID)**: `lang:pkg@ver!binary#file:function(signature)`; normalize C++/Rust mangling. +- **Source symbolizers:** + - .NET (Roslyn+IL), JVM (bytecode), Go (SSA), Node/TS (TS AST), Python (AST), Rust (HIR/MIR if available). +- **Bindings join:** Map FFI edges (P/Invoke, cgo, JNI/JNA, N-API) → **cross‑ecosystem call edges**: + - `.NET P/Invoke` → DLL export CSID. + - Java JNI → `Java_com_pkg_Class_Method` ↔ native export. + - Node N-API → addon exports ↔ JS require() site. + +**Reachability pipeline** +1. Build per‑language call graphs (CG) with framework models (ASP.NET, Spring, Express, etc.). +2. Add FFI edges; merge into a **polyglot call graph**. +3. Mark **entrypoints** (container `CMD/ENTRYPOINT`, web handlers, cron, CLI verbs). +4. For each CVE → {pkg, version, affected symbols[]} map → **is any affected CSID on a path from an entrypoint?** +5. Output evidence: + - `reachable: true|false|unknown` + - shortest path (symbols list) + - probes (optional): runtime samples (EventPipe/JFR/uprobes) hitting CSIDs + +**Artifacts emitted** +- `symbols.csi.jsonl` (all CSIDs) +- `polyglot.cg.slices.json` (only impacted SCCs for diffs) +- `reach.vex.json` (OpenVEX/CSAF with function‑level notes + confidence) + +--- + +# What to build next (low‑risk, high‑impact) +- **[Week 1–2]** Per‑layer caches + `scan.lock.json`; file symbol‑fingerprints (xxh3 + top‑K funcIDs). +- **[Week 3–4]** ELF/PE/Mach‑O symbolizer lib with CSIDs; .NET IL + P/Invoke mapper. +- **[Week 5–6]** Polyglot CG merge + entrypoint discovery from Docker metadata; JSON Patch diffs. +- **[Week 7+]** Runtime probes (opt‑in) to boost confidence and suppress false positives. + +--- + +# Tiny code seeds (C# hints) + +**Symbol fingerprint (per file)** +```csharp +record SymbolFingerprint( + string Algo, string Path, long Size, long MTimeUnix, + string ContentHash, string[] FuncIds); +``` + +**Deterministic scan lock** +```csharp +record ScanLock( + string FeedsHash, string RulesHash, string PolicyHash, string Toolchain, + string ImageDigest, string[] LayerDigests, DateTimeOffset Clock, + IDictionary EnvPins); +``` + +**JSON Patch diff emit** +```csharp +var patch = JsonDiffPatch.Diff(oldVexJson, newVexJson); // stable sort keys beforehand +File.WriteAllText("vex.diff.json", patch); +``` + +--- + +If you want, I can turn this into: +- a **.proto** for the cache/index objects, +- a **Mongo schema + indexes** (including compound keys for fast layer reuse), +- and a **.NET 10** service skeleton (`StellaOps.Scanner.WebService`) with endpoints: +`/scan`, `/diff/{from}/{to}`, `/reach/{runId}`. \ No newline at end of file diff --git a/docs/product-advisories/16-Nov-2026 - layer-sbom cache hash reuse.md b/docs/product-advisories/16-Nov-2026 - layer-sbom cache hash reuse.md new file mode 100644 index 000000000..9621ead87 --- /dev/null +++ b/docs/product-advisories/16-Nov-2026 - layer-sbom cache hash reuse.md @@ -0,0 +1,146 @@ +Here’s a fast, practical idea to speed up container scans: add a **hash‑based SBOM layer cache** keyed by **(Docker layer digest + dependency‑manifest checksum)** so identical inputs skip recomputation and only verify attestations. + +--- + +### What this is (in plain words) + +* **Layers are immutable.** Each image layer already has a content digest (e.g., `sha256:...`). +* **Dependency state is declarative.** Lockfiles/manifest files (NuGet `packages.lock.json`, `package-lock.json`, `poetry.lock`, `go.sum`, etc.) summarize deps. +* If both the **layer bytes** and the **manifest content** are identical to something we’ve scanned before, recomputing the SBOM/VEX is wasted work. We can **reuse** the previous result (plus a quick signature/attestation check). + +--- + +### Cache key + +``` +CacheKey = SHA256( + concat( + LayerDigestCanonical, // e.g., "sha256:abcd..." + '\n', + ManifestAlgo, // e.g., "sha256" + ':', + ManifestChecksum // hash of lockfile(s) inside the layer FS view + ) +) +``` + +* Optionally include toolchain IDs to prevent cross‑version skew: + + * `SbomerVersion`, `ScannerRulesetVersion`, `FeedsSnapshotId` (OSV/NVD feed epoch), `PolicyBundleHash`. + +--- + +### When it hits + +* **Exact same layer + same manifests** → return cached **SBOM component graph + vuln findings + VEX** and **re‑verify** the **DSSE/in‑toto attestation** and timestamps (freshness SLA). +* **Same layer, manifests absent** → fall back to byte‑level heuristics (package index cache); lower confidence. + +--- + +### Minimal .NET 10 sketch (Stella Ops) + +```csharp +public sealed record LayerInput( + string LayerDigest, // "sha256:..." + string? ManifestAlgo, // "sha256" + string? ManifestChecksum, // hex + string SbomerVersion, + string RulesetVersion, + string FeedsSnapshotId, + string PolicyBundleHash); + +public static string ComputeCacheKey(LayerInput x) +{ + var s = string.Join("\n", new[]{ + x.LayerDigest, + x.ManifestAlgo ?? "", + x.ManifestChecksum ?? "", + x.SbomerVersion, + x.RulesetVersion, + x.FeedsSnapshotId, + x.PolicyBundleHash + }); + using var sha = System.Security.Cryptography.SHA256.Create(); + return Convert.ToHexString(sha.ComputeHash(System.Text.Encoding.UTF8.GetBytes(s))); +} + +public sealed class SbomCacheEntry +{ + public required string CacheKey { get; init; } + public required byte[] CycloneDxJson { get; init; } // gz if large + public required byte[] VexJson { get; init; } + public required byte[] AttestationDsse { get; init; } // for re-verify + public required DateTimeOffset ProducedAt { get; init; } + public required string FeedsSnapshotId { get; init; } // provenance +} +``` + +--- + +### Cache flow (Scanner) + +1. **Before scan** + + * Extract manifest files from the union FS of the current layer. + * Hash them (stable newline normalization). + * Build `LayerInput`; compute `CacheKey`. + * **Lookup** in `ISbomCache.Get(CacheKey)`. +2. **Hit** + + * **Verify attestation** (keys/policy), **check feed epoch** still within tolerance, **re‑sign freshness** if policy allows. + * Emit cached SBOM/VEX downstream; mark provenance as “replayed”. +3. **Miss** + + * Run normal analyzers → SBOM → vuln match → VEX lattice. + * Create **in‑toto/DSSE attestation**. + * Store `SbomCacheEntry` and **index by**: + + * `CacheKey` (primary), + * `LayerDigest` (secondary), + * `(ecosystem, manifestChecksum)` for diagnostics. +4. **Invalidation** + + * Roll cache on **FeedsSnapshotId** bumps or **RulesetVersion** change. + * TTL optional for emergency revocations; keep **attestation+provenance** for audit. + +--- + +### Storage options + +* **Local**: content‑addressed dir (`/var/lib/stellaops/sbom-cache/aa/bb/.cjson.gz`). +* **Remote**: Redis or Mongo (GridFS) keyed by `cacheKey`; attach indexes on `LayerDigest`, `FeedsSnapshotId`. +* **OCI artifact**: push SBOM/VEX as OCI refs tied to layer digest (helps multi‑node CI). + +--- + +### Attestation verification (quick) + +* On hit: `Verify(AttestationDsse, Policy)`; ensure `subject.digest == LayerDigest` and metadata (`FeedsSnapshotId`, tool versions) matches required policy. +* Optional **freshness stamp**: a tiny, fast “verification attestation” you produce at replay time. + +--- + +### Edge cases + +* **Multi‑manifest layers** (polyglot): combine checksums in a stable order (e.g., `SHA256(man1 + '\n' + man2 + ...)`). +* **Runtime‑only diffs** (no manifest change): include **package index snapshot hash** if you maintain one. +* **Reproducibility drift**: include analyzer version & configuration knobs in the key so the cache never masks rule changes. + +--- + +### Why this helps + +* Cold scans compute once; subsequent builds (same base image + same lockfiles) **skip minutes of work**. +* Reproducibility becomes **measurable**: cache hit ratio per repo, per base image, per feed epoch. + +--- + +### Quick tasks to add to Stella Ops + +* [ ] Implement `LayerInput` + keying in `Scanner.WebService`. +* [ ] Add **Manifest Harvester** step per ecosystem (NuGet, npm, pip/poetry, go, Cargo). +* [ ] Add `ISbomCache` (local + Mongo/OCI backends) with metrics. +* [ ] Wire **attestation re‑verify** path on hits. +* [ ] Ship a **cache report**: hit/miss, time saved, reasons for miss (ruleset/feeds changed, manifest changed, new analyzer). + +If you want, I can draft the actual C# interfaces (cache backend + verifier) and a tiny integration for your existing `Sbomer`/`Vexer` services next. diff --git a/docs/product-advisories/16-Nov-2026 - multi-runtime reachability corpus.md b/docs/product-advisories/16-Nov-2026 - multi-runtime reachability corpus.md new file mode 100644 index 000000000..cd34d16fd --- /dev/null +++ b/docs/product-advisories/16-Nov-2026 - multi-runtime reachability corpus.md @@ -0,0 +1,224 @@ +Here’s a compact, implementation‑ready plan to validate function‑level reachability with a public, minimal CVE corpus—one runnable example per runtime (Go, .NET, Python, Rust). It gives you known vulnerable symbols, a tiny app that (optionally) calls them, and captured runtime traces to prove reachability. + +--- + +# Corpus layout + +``` +stellaops-reach-corpus/ + README.md + tooling/ + capture-dotnet-eventpipe.ps1 + capture-go-trace.sh + capture-python-coverage.sh + capture-rust-probe.sh + go/ + CVE-YYYY-XXXX-min/ + go.mod + vulner/pkg/vuln.go // vulnerable symbol(s): func DoVuln() + app/main.go // calls or avoids DoVuln() via flag + traces/ // .out/.json from runtime + EXPECT.yaml // ground truth: reachable? call path? + dotnet/ + CVE-YYYY-XXXX-min/ + src/VulnLib/VulnLib.cs // [MethodImpl] public static void DoVuln() + src/App/App.csproj + src/App/Program.cs // --reach / --no-reach + traces/ // .nettrace, EventPipe JSON, stack dumps + EXPECT.yaml + python/ + CVE-YYYY-XXXX-min/ + vuln/__init__.py // def do_vuln() + app.py // toggle call via env + requirements.txt + traces/coverage/ // coverage.xml + callgraph.json + EXPECT.yaml + rust/ + CVE-YYYY-XXXX-min/ + Cargo.toml + src/lib.rs // pub fn do_vuln() + src/main.rs // feature flags: reach/no_reach + traces/ // eBPF/usdt or log-markers + EXPECT.yaml +``` + +--- + +# EXPECT.yaml (shared contract) + +```yaml +id: CVE-YYYY-XXXX +ecosystem: (go|dotnet|python|rust) +packages: + - name: example.org/vulner + version: 1.0.0 +symbols: + - fqname: example.org/vulner.DoVuln # or Namespace.Class.Method, module.func + kind: function +scenarios: + - name: reach + args: ["--reach"] + expected: + reachable: true + call_paths: + - ["app.main", "vulner.DoVuln"] + runtime_hits: >=1 + - name: no_reach + args: ["--no-reach"] + expected: + reachable: false + call_paths: [] + runtime_hits: 0 +artifacts: + - sbom: sbom.cdx.json + - trace: traces/reach.trace +notes: Minimal repro; avoid network/filesystem side effects. +``` + +--- + +# Minimal vulnerable symbol patterns + +**Go** + +`vulner/pkg/vuln.go` + +```go +package vulner +func DoVuln(input string) string { return "vuln:" + input } // marker +``` + +`app/main.go` + +```go +package main +import ( + "flag" + "example.org/vulner" + "fmt" +) +func main() { + reach := flag.Bool("reach", false, "call vuln") + flag.Parse() + if *reach { fmt.Println(vulner.DoVuln("hit")) } else { fmt.Println("skip") } +} +``` + +**.NET (C# / .NET 10)** + +`VulnLib/VulnLib.cs` + +```csharp +namespace VulnLib; +public static class V { + public static string DoVuln(string s) => "vuln:" + s; // marker +} +``` + +`App/Program.cs` + +```csharp +using System; +using VulnLib; +var reach = args.Contains("--reach"); +Console.WriteLine(reach ? V.DoVuln("hit") : "skip"); +``` + +**Python** + +`vuln/__init__.py` + +```python +def do_vuln(s: str) -> str: + return "vuln:" + s # marker +``` + +`app.py` + +```python +import os +from vuln import do_vuln +print(do_vuln("hit") if os.getenv("REACH")=="1" else "skip") +``` + +**Rust** + +`src/lib.rs` + +```rust +pub fn do_vuln(s: &str) -> String { format!("vuln:{s}") } // marker +``` + +`src/main.rs` + +```rust +use std::env; use vuln::do_vuln; +fn main() { + let reach = env::args().any(|a| a=="--reach"); + println!("{}", if reach { do_vuln("hit") } else { "skip".into() }); +} +``` + +--- + +# Runtime trace capture (tiny, deterministic) + +* **Go**: `-toolexec` or `GODEBUG=efence=1` not required; use `go test -run TestReach -vet=off` (optional) + `pprof` or `runtime/trace`. + + * `tooling/capture-go-trace.sh`: `go test ./... -run TestNoop && go test -run TestReach -trace=traces/reach.out` + +* **.NET**: EventPipe + + * `dotnet-trace collect -p $PID --providers Microsoft-DotNETCore-SampleProfiler:0:5` + * Or `dotnet-monitor collect --duration 5s --process-id ... --artifact-type traces` + +* **Python**: `coverage run -m app` + `coverage xml -o traces/coverage/coverage.xml` + +* **Rust**: simplest is log markers + `RUST_LOG` capture; optional: `perf record -g` or USDT via `tokio-tracing` if you want call sites. + +Each trace folder includes a short `trace.json` (normalized stack hits for the vulnerable symbol) produced by a tiny normalizer script you ship in `tooling/`. + +--- + +# SBOM & ground‑truth + +For each example: + +* Generate CycloneDX SBOM (use the language’s simplest generator or a tiny script) and include component + symbol annotations (e.g., `properties` with `symbol:fqname`). +* Keep versions pinned to avoid drift. + +--- + +# Validation runner (one command) + +`tooling/validate-all.sh`: + +1. Build each example twice (reach / no_reach). +2. Capture SBOM + runtime traces. +3. Emit a unified `results.json` with: + + * detected symbols from your Symbolizer + * static call‑graph reachability + * runtime hit count per symbol + * pass/fail vs `EXPECT.yaml`. + +Exit non‑zero on any mismatch → perfect for CI gates. + +--- + +# Why this works as a public differentiator + +* **Minimal & real**: one tiny, idiomatic app per runtime; clear vulnerable symbol; two scenarios. +* **Auditable**: EXPECT.yaml + traces make results falsifiable. +* **Portable**: no network, no DB; runs in Docker or GitHub Actions. +* **Extensible**: add more CVEs by copying the template and swapping the “vulnerable symbol” (e.g., path‑traversal helper, unsafe deserializer stub, weak RNG wrapper). + +--- + +# Next steps I can deliver immediately + +* Bootstrap repo with the above structure. +* Add the four first examples + scripts. +* Wire a single `validate-all` CLI to produce a JUnit‑style report for your CI. + +If you want, I’ll generate the skeleton with ready‑to‑run code, EXPECTs, and the capture scripts tailored to your .NET 10 + Docker workflow. diff --git a/docs/product-advisories/16-Nov-2026 - spdx canonical persistence cyclonedx interchange.md b/docs/product-advisories/16-Nov-2026 - spdx canonical persistence cyclonedx interchange.md new file mode 100644 index 000000000..f038cdbd3 --- /dev/null +++ b/docs/product-advisories/16-Nov-2026 - spdx canonical persistence cyclonedx interchange.md @@ -0,0 +1,34 @@ +Here’s a quick, concrete proposal to **lock in a stable SBOM model for Stella Ops**: use **SPDX 3.0.1** as your canonical persistence schema and **CycloneDX 1.6** as the interchange “view,” bridged by a deterministic transform. + +**Why this pairing** + +* **SPDX 3.0.1** gives you a rigorous, profile‑based data model (Core/Security/AI/Build, etc.) with explicit **Relationship** semantics—ideal for long‑lived storage and graph queries. ([SPDX][1]) +* **CycloneDX 1.6** excels at exchange: widely adopted, supports **services/SaaSBOM**, **attestations (CDXA)**, **CBOM (crypto inventory)**, MLBOM, and more—perfect for producing portable BOMs for customers and regulators. ([CycloneDX][2]) + +**Target architecture (minimal)** + +* **Persistence:** Store SBOMs as SPDX 3.0.1 (JSON‑LD/RDF), normalized into your Mongo event‑sourced graph; keep Relationship edges first‑class. ([SPDX][1]) +* **Interchange:** On export, render CycloneDX 1.6 (JSON/XML) including `components`, `services`, `dependencies`, `vulnerabilities`, and optional CBOM/CDXA blocks. ([SBOM Observer][3]) +* **Deterministic transform:** Define a static mapping table (SPDX→CycloneDX) with sorted collections, stable UUID seeds, and normalized strings to guarantee byte‑for‑byte reproducibility across offline sites. + +**Quick win mapping examples** + +* SPDX `Element` + `RelationshipType` → CycloneDX `dependencies` graph. ([SPDX][4]) +* SPDX Security profile findings → CycloneDX `vulnerabilities` entries. ([SPDX][1]) +* SPDX AI/Build profiles → CycloneDX MLBOM + CDXA attestations (build/provenance). ([SPDX][5]) +* Crypto materials (keys/algos/policies) held in SPDX extensions or attributes → CycloneDX **CBOM** on export for policy checks (CNSA/NIST). ([CycloneDX][2]) + +**Governance & standards signal** + +* SPDX 3.0.x is actively aligned with **OMG/ISO** submissions (good long‑term bet for storage). ([SPDX Lists][6]) +* CycloneDX 1.6 is the current, actively enhanced interchange standard used across vendors and tooling. ([GitHub][7]) + +If you want, I’ll draft the exact field‑by‑field mapping table (SPDX profile → CycloneDX section), plus a small .NET 10 library skeleton for the deterministic exporter. + +[1]: https://spdx.github.io/spdx-spec/v3.0.1/?utm_source=chatgpt.com "SPDX Specification 3.0.1" +[2]: https://cyclonedx.org/news/cyclonedx-v1.6-released/?utm_source=chatgpt.com "CycloneDX v1.6 Released, Advances Software Supply ..." +[3]: https://sbom.observer/academy/learn/topics/cyclonedx?utm_source=chatgpt.com "What is CycloneDX?" +[4]: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/RelationshipType/?utm_source=chatgpt.com "RelationshipType - SPDX Specification 3.0.1" +[5]: https://spdx.dev/wp-content/uploads/sites/31/2024/12/SPDX-3.0.1-1.pdf?utm_source=chatgpt.com "SPDX© Specification v3.0.1" +[6]: https://lists.spdx.org/g/Spdx-tech/topic/release_3_0_1_of_the_spdx/110308825?utm_source=chatgpt.com "Release 3.0.1 of the SPDX Specification" +[7]: https://github.com/CycloneDX/specification?utm_source=chatgpt.com "CycloneDX/specification" diff --git a/docs/product-advisories/16-Nov-2026 - validation plan for quiet scans provenance diff-ci.md b/docs/product-advisories/16-Nov-2026 - validation plan for quiet scans provenance diff-ci.md new file mode 100644 index 000000000..7b88604f6 --- /dev/null +++ b/docs/product-advisories/16-Nov-2026 - validation plan for quiet scans provenance diff-ci.md @@ -0,0 +1,132 @@ +Here’s a practical, plain‑English game plan to validate three big Stella Ops claims—quiet scans, provenance, and diff‑native CI—so you (and auditors/customers) can reproduce the results end‑to‑end. + +--- + +# 1) “Explainably quiet by design” + +**Goal:** Fewer false‑alarms, with every suppression justified (reachability/VEX), and every alert deduplicated and actionable. + +**What to measure** + +* **Noise rate:** total findings vs. actionable (has fix/KB/CWE + reachable or policy‑relevant). +* **Dedup:** identical CVE across layers/repos counted once. +* **Explainability:** % of findings with a clear path (package → symbol/function → evidence). +* **Suppression justifications:** % of suppressed items with VEX reason (not affected, configuration, environment, reachability). + +**A/B test setup** + +* **Repos (representative mix):** .NET (aspnet app & library), JVM (Spring), Node/TS (Nest), Python (FastAPI), Go (CLI), container base images (Alpine, Debian, Ubuntu), and a known‑noisy mono‑repo. +* **Modes:** `baseline=no VEX/reach`, `quiet=reach+VEX+dedup`. +* **Metrics capture:** emit JSONL per repo with counts and examples. + +**Minimal harness (pseudo)** + +```bash +# baseline +stella scan repo --out baseline.jsonl --no-reach --no-vex --no-dedup +# quiet +stella scan repo --out quiet.jsonl --reach --vex openvex.json --dedup +stella explain --in quiet.jsonl --evidence callgraph,eventpipe --why > explain.md +stella metrics compare baseline.jsonl quiet.jsonl > ab_summary.md +``` + +**Pass criteria (suggested)** + +* ≥50% reduction in non‑actionable alerts. +* 100% of suppressions carry VEX+reason. +* ≥90% of actionable findings link to evidence (reachable symbol or policy gate). + +--- + +# 2) “Provenance‑first DevSecOps” + +**Goal:** Ship a verifiable bundle anyone can check offline: SBOM + attestations + transparency‑log proof. + +**What to export** + +* **SBOM:** CycloneDX 1.6 or SPDX 3.0.1. +* **Provenance attestation:** in‑toto/DSSE (builder, materials, recipe, digest). +* **Signatures:** Sigstore (cosign) or regional crypto (pluggable). +* **Transparency log receipt:** Rekor (or mirror) inclusion proof. +* **Policy snapshot:** the exact policy/lattice and feed hashes used. +* **Repro manifest:** declarative inputs so scans are replayable. + +**One‑shot exporter** + +```bash +stella bundle export \ + --sbom cyclonedx.json \ + --attest provenance.intoto.jsonl \ + --sig cosign.sig \ + --rekor-inclusion rekor.json \ + --policy policy.yml \ + --replay manifest.lock.json \ + --out stella-proof-bundle.tgz +``` + +**Independent verification (clean machine)** + +```bash +stella bundle verify stella-proof-bundle.tgz \ + --check-sig --check-rekor --check-sbom --check-policy --replay +# Output should show digest matches, valid DSSE, Rekor inclusion, and replay parity. +``` + +**Pass criteria** + +* All cryptographic checks pass offline. +* Replay produces byte‑identical findings set (or a diff limited to time‑varying feeds pinned by hash). + +--- + +# 3) “Diff‑native CI for containers” + +**Goal:** Rescan only what changed (layers/deps/policies) with equal detection parity and lower wall‑time. + +**Test matrix** + +* **Images:** multistage app (runtime+deps), language runtimes (dotnet, jre, node, python), and a “fat” base (ubuntu:XX). +* **Changes:** Dockerfile ENV only, add/remove package, patch app DLL/JAR/JS, policy toggle. + +**Runs** + +```bash +# Full scan +time stella image scan myimg:old > full_old.json +time stella image scan myimg:new > full_new.json + +# Diff-aware +time stella image scan myimg:new --diff-from myimg:old --cache .stella-cache > diff_new.json + +stella parity check full_new.json diff_new.json > parity.md +``` + +**Metrics** + +* **Parity:** same actionable findings IDs (allowing dedup). +* **Speedup:** (full time) / (diff time). +* **Cache hit ratio:** reused layers/components. + +**Pass criteria** + +* 100% actionable parity on modified images. +* ≥3× faster on typical “small change” commits; no worse than full scan when cache misses. + +--- + +## What you’ll publish (deliverables) + +* `VALIDATION_PLAN.md` — steps above with fixed seeds (image digests, repo SHAs). +* `harness/` — scripts to run A/B and diff tests, export bundles, and verify. +* `results/YYYY‑MM/` — raw JSONL, parity reports, timing tables, and a 1‑page summary. +* `policy/` — locked policy + feed hashes used in the runs. + +--- + +## Nice‑to‑have extras + +* **Reachability/VEX gallery:** a few “before/after” call graphs and suppression cards. +* **Auditor mode:** `stella audit open stella-proof-bundle.tgz` → read‑only UI that renders SBOM, VEX, signatures, Rekor proof, and replay log. +* **CI examples:** GitLab/GitHub YAML snippets for full vs. diff jobs with caching. + +If you want, I can spit out the repo‑ready scaffold (folders, stub scripts, sample policies) tailored to your .NET 10 + Docker setup so you can run this tonight. diff --git a/src/Findings/AGENTS.md b/src/Findings/AGENTS.md new file mode 100644 index 000000000..7a217d046 --- /dev/null +++ b/src/Findings/AGENTS.md @@ -0,0 +1,56 @@ +# Findings Ledger · AGENTS.md + +## Working directory +- Primary path: `src/Findings/StellaOps.Findings.Ledger` (and sibling test project under `src/Findings/__Tests` when exercising tests). +- Do not touch other modules unless the sprint explicitly permits cross-module edits; Orchestrator/AirGap/Attestor integration work must land behind feature flags and be coordinated via their sprints. + +## Roles covered +- Backend engineer: .NET 10/C# for ledger services, projections, provenance links, Merkle anchoring. +- QA / determinism: replay harness, property/integration tests, load testing at ≥5M findings/tenant. +- Observability / DevOps: metrics, logs, dashboards, alert wiring, deployment/backup/offline kits. + +## Required reading before DOING +- Global: `docs/README.md`, `docs/07_HIGH_LEVEL_ARCHITECTURE.md`, `docs/modules/platform/architecture-overview.md`. +- Ledger module: + - `docs/modules/findings-ledger/observability.md` + - `docs/modules/findings-ledger/replay-harness.md` + - `docs/modules/findings-ledger/deployment.md` + - `docs/modules/findings-ledger/implementation_plan.md` + - `docs/modules/findings-ledger/airgap-provenance.md` + - `docs/modules/findings-ledger/schema.md` (sealed-mode and Merkle root structure) + - `docs/modules/findings-ledger/workflow-inference.md` (projection rules) +- Observability policy: `docs/observability/policy.md`. + +## Execution rules +- Update sprint `Delivery Tracker` status when you start/stop/finish: TODO → DOING → DONE/BLOCKED. +- If a contract/design decision is missing, mark the task BLOCKED in the sprint, add the decision needed under **Decisions & Risks**, then continue with other unblocked tasks. +- Keep outputs deterministic: UTC ISO-8601 timestamps, stable ordering, seeded property tests, repeatable replay runs. + +## Coding & data guidelines +- Target .NET 10; prefer latest C# preview features allowed by repo tooling. +- Logging: structured `Ledger.*` logs; no PII; include `tenant`, `chain`, `policy`, `status`, `anchor` labels where applicable. +- Metrics: emit only metric names/labels listed in `observability.md`; new series require Observability Guild approval. +- Storage: follow schema in `schema.md`; preserve Merkle invariants and provenance pointers (orchestrator job IDs, bundle IDs, DSSE/attestation IDs). +- Feature flags: gate Orchestrator/AirGap/Attestor integrations; defaults must be safe for air-gapped/offline mode. + +## Testing +- Mandatory: unit + property tests for ledger state/merkle roots; integration tests for projections and provenance pointers. +- Replay/determinism: use the harness in `replay-harness.md` (5M findings/tenant scenario); produce signed harness report (DSSE) for LEDGER-29-008. +- Load tests should record CPU/memory budgets as part of run artifacts; keep seeds and fixtures under version control. + +## Observability & operations +- Metrics/logs/traces via OpenTelemetry → OTLP → Prometheus/Tempo/Loki; respect `observability.enabled` flag. +- Dashboards: include Grafana JSON exports under `offline/telemetry/dashboards/ledger`. +- Alerts: wire as documented in `observability.md`; for air-gap emit to syslog + CLI incident scripts. +- Deployments: follow `deployment.md` for Helm/Compose overlays, migrations, backup/restore, and offline kits. + +## Offline/air-gap +- Never assume external network; rely on mirrored feeds and bundled assets. +- Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) when importing advisories/VEX/policies as per `airgap-provenance.md`. +- Exports that become stale beyond documented thresholds must be blocked with remediation messaging. + +## Acceptance checklist for changes +- Tests updated/added and passing locally (`dotnet test` within module scope). +- Metrics/logs follow approved names and labels; dashboards/alerts updated if schemas change. +- Replay harness run (or planned) for determinism-impacting changes; attach/report results. +- Docs updated when contracts or workflows change (module docs, observability policy, sprint Decisions & Risks).